Long before the days where Windows NT was merged with the consumer version of Windows, users became accustomed to working with full system access. Before Windows XP was released, the absence of the NTFS filesystem in Windows ME and earlier OSes, meant that access control lists couldn’t be used to secure system resources, so users always had unfettered access to the system.
Even in the corporate world, Windows NT Workstation often required users be given power user or administrator access to run software, as developers rarely adhered to best practices in terms of creating applications that would run under a standard user account. And so the scene was set, that Windows users are always ‘administrators’.
But times have changed, and the Internet has brought with it a different threat landscape that changes almost daily. Not only do security experts now recommend the removal of administrative rights, even from IT staff, but regulatory compliance demands and other security programs, such as the UK government’s Cyber Essentials Scheme, require that administrative privileges be removed from users.
Political and technical challenges of removing administrative privileges
IT has always been reluctant to remove administrative privileges from end users for several reasons. The first that comes to mind, and shouldn’t be overlooked, is the political challenges of such a move. Taking away a perceived privilege can be difficult, much like denying a person their freedom, so a change in IT policy has to be managed carefully to ensure users and management are onboard.
There are still legacy applications that require administrative privileges, and while User Account Control (UAC) in Windows Vista and later OSes increases the number of legacy applications that can run with a standard user account, there are still times where a program may require administrative rights. Additionally, there may be occasions where users legitimately need to carry out system tasks that require administrative privileges, especially on portable devices that have limited connectivity to the Internet or company intranet.
But the risks of administrative privileges in today’s threat landscape greatly outweigh the benefits, and removing administrative privileges from end users and IT staff is critical for ensuring that systems remain secure, and should be part of a defense-in-depth security strategy that includes deploying antimalware detection, endpoint firewalls, and ensuring that operating system and updates for third-party software are installed in a timely manner.
Overcoming the challenges
In this Webcasts |
-
Resources
Buyer’s Guide for Complete Privileged Access Management (PAM)
The Buyer's Guide for Complete Privileged Access Management (PAM) is the most thorough tool for holistically assessing your privileged access security needs and mapping them to modern privilege management solutions.
Download the Buyer's GuideOn the Blog
- How Switching to BeyondTrust Remote Support Primed Chili Security for Impressive Growth
- Is Your IT Security Built to Withstand 5G?
- BeyondTrust Named 'Top Innovative Vendor in Secure Identity Solutions’, Recognized for Outstanding Contributions Addressing IT Security in MEA Region
- BeyondTrust Privileged Identity Delivers New Functionality & Enhanced User Experience in Latest Release
- October 2019 Patch Tuesday
News
- Top CISOs of the Industry Engage at GCF Organized BeyondTrust Breakfast Briefing
- Cloud Security essentials - session monitoring
- Chatbot and conversation marketing security pitfalls and best practices
- BeyondTrust announces enhancements to PAM SaaS solutions
- Suspected Iranian cybercriminals target universities for intellectual property