Commentary - For enterprise Windows users, having administrative rights gives them complete and total control over the security of their desktops - a scenario that is far from ideal and far too common in most corporate environments. Removing administrative rights helps organizations to eliminate the accidental or deliberate misuse of these privileges, decreases the risks posed by malware and reduces the cost of supporting the corporate desktop.
Despite these benefits, removing administrative rights brings its own set of operational challenges, which is why many organizations have struggled to embrace it. The goal for these organizations is to achieve least privilege security to enable users to install and run only those applications that they need to perform their job role. However, because there is no mechanism in Windows to assign privileges directly to applications, most organizations face the decision of either running users insecurely with full administrative privileges, or removing administrative rights entirely and facing a new set of operational challenges.
Here are five common challenges that lead to organizations to grant users administrative privileges on Windows desktops.
1. Legacy Applications: Since most organizations have hundreds or thousands of applications, it is common for them to have several applications that won't run correctly under a standard user account. Many of these applications may have been internally developed and are no longer maintained, with redevelopment of the application being too costly. A similar problem may exist for off-the-shelf applications, if an organization is continuing to use a product that is no longer supported and an upgrade is not a viable option. If it is not possible to redevelop or upgrade legacy applications, then the only alternative is to either weaken security permissions on files and registry keys to allow the application to function under a standard user account, or to virtualize the application with a suitable application virtualization solution. The latter is a more secure solution, as weakening system security can leave the computer more open to attack.
2. Basic Administration Tasks: Many users perform basic system administration tasks for themselves, such as connecting printers, adding plug-and-play hardware and defragmenting disks. Although this is particularly common for laptop users, it can affect desktop users too, especially those in a more technical role. If a user is not granted administrative privileges over their computer, then the only option is over-the-shoulder administration. This means that the user must log a help desk call to perform even the most mundane administration tasks. This can be extremely frustrating for users, and the loss of productivity is costly to the organization, especially for remote laptop users.
3. Software Installation and Upgrade: In cases where some or all software packages are not centrally deployed and updated, least privilege becomes problematic, as most software requires administrative rights to install. If a user needs to install software as part of their job role, then it is extremely difficult to remove administrative rights from them, as the only other option becomes over-the-shoulder administration, leading to loss of productivity and increased support costs.
4. ActiveX Installation and Upgrade: Most ActiveX controls will require administrative privileges to be installed or upgraded. The inability of a user to install or upgrade authorized ActiveX controls for themselves is a major headache, as alternative deployment strategies are costly and time consuming. In addition, some ActiveX controls have licensing restrictions, which prohibit repacking of the control, in order to deploy it via a software deployment solution.
5. Advanced Tools: The more technical users in an organization will often run privileged applications as part of their role. These are applications that don't fall under the legacy applications category, as they are applications that genuinely require administrative rights to function correctly. Unlike legacy applications, virtualizing these applications is not a solution, as this will either cause the application to break due to the virtualization of its operations, or the virtualized application will still require administrative privileges. Users who run advanced tools are the most difficult users to move to a standard user account without severely limiting their ability to perform their job function.
The security and operational benefits of moving to least privilege are well documented, but most organizations find themselves in the position where it would be a difficult and costly undertaking, or it would lead to severe productivity issues for some or all of their users. The key is to understand what least privilege really means, as it is not about locking down the desktop completely. It is about running applications with the minimal privileges they require to function correctly. Unfortunately, privileges are assigned to users and not applications on Windows desktops, which is the root cause of the problem.
There are a number of third-party solutions available that resolve this limitation in Windows by allowing privileges to be assigned directly to the individual applications that require them. These solutions take much of the pain out of implementing a least privilege environment, as it is possible to remove administrative rights from users and still allow users to run legacy applications, perform basic administration tasks, install authorized software, install ActiveX controls, and perform any other privileged activity. Least privilege is about flexible desktop lockdown, where applications receive the privileges they require, with the user running under a standard user account. This provides a balance between security and operational costs, while maximizing user productivity.
Mark Austin is co-founder and chief technology officer of Avecto (www.avecto.com), a leading provider of least privilege management solutions for Microsoft Windows systems.