Improving security by removing admin rights not practical

Disallowing admin rights of employees' endpoint devices not realistic solution to preventing malware threats in today's self-service IT business climate, observers say.
Written by Ellyne Phneah, Contributor

The removal of administrative rights to employees' endpoint devices such as desktops and laptops is not a foolproof security solution and unrealistic in today's era of IT consumerization. Rather, risk assessment of employees' job scope to determine level of admin rights given and training are more feasible options, industry insiders argued.

Tatsuya Yoshizawa, product marketing manager of Blue Coat Systems, said removing administrative rights to devices for workers may seem counter-intuitive but it is one of the more "reasonable" solutions to protect the company's data from external threats. Such a move will make endpoint security more secure and eliminates the risk of users unknowingly downloading and installing malware, he added.

That said, the Japan-based executive noted that the removal of such rights does not mean that IT administrators can stop users from accessing malicious or inappropriate Web sites or control specific operations within an application. Actions include uploading sensitive documents on a public forum or sending a customer list via their private Web e-mail clients, he explained.

Besides, for large enterprises, revoking admin rights for all employees in order to boost security could turn into a time- and labor-intensive initiative, Yoshizawa noted.

Joseph Steinberg, CEO of New Jersey-based Green Armor Solutions, chimed in, saying that even by taking away users' admin rights, plenty of problems--including malware--can still arise, he said during a phone interview.

Both of them were responding to a blog post written last month by Neil Macdonald, vice president and distinguished analyst at Gartner, in which he argued that for enterprises thinking of switching security vendors because of "malware infestations" challenges, they should first look at the option of removing administrator rights for users' endpoint devices.

MacDonald also mentioned in a blog post this May that removing administrative rights for Window users is not a "lockdown", as users can still install and execute well-written software, printer drivers, ActiveX controls and standard day-to-day Windows functions such as changing time zones or monitor resolution.

Consider business environments, security policies
While Windows-based systems may be more easily controlled through such domain policies, Ang Chye Hin, regional director of SonicWALL Southeast Asia, pointed out that other platforms will require another set of controls that may be an "unnecessary burden" for organizations with less available resources.

It will also be challenging if the organization does not have an established security management framework that covers the objectives of the organization's security strategy, rules and policies, he added. This framework would look into what rights should be removed or granted, exceptions to the rule and developing user awareness programs, he explained.

"Any step taken toward better security is a positive initiative but if the attack never reaches the user, it will be the best protection," Ang said. "Removing administrative rights may be one of the methods to improve security but it may not achieve the desired objectives."

Steinberg went on to point out that as enterprises move toward self-provisioning IT services, taking away administrative rights is "inappropriate" and for users to call on IT staff for permission to install software is "frustrating, inefficient and a waste of time".

Companies would be better off assessing the amount of user rights given depending on the job scope and work environment they are in, he suggested. For instance, in a highly sensitive workplace, administrative rights might be stripped as security is paramount and users should not be able to install any software, regardless of how frustrated they become, the CEO stated.

Ang agreed, adding that security policies have always been based on the concept of granting minimal privileges that are enough to complete one's role in the organization, and this will determine how much administrator privileges an employee is entitled to.

For companies in the midst of migrating to Windows 7, Yoshizawa reckoned that this is a good time to remove users' admin rights and, at the same time, train them on security aspects, including access control and tips to avoid malware. This would minimize user complaints and increase their awareness of compliance issues, he added.

Editorial standards