A selfish Windows administrator is a good Windows administrator

Windows administrators take charge!
Photo by Jeff Tidwell

A March 2010 article by Arstechnica elaborated on a beyondtrust report (.pdf) which underscored the wisdom (or necessity) of assigning users non-administrative rights. From the article:

After tabulating all the vulnerabilities published in Microsoft’s 2009 Security Bulletins, it turns out 90 percent of the vulnerabilities can be mitigated by configuring users to operate without administrator rights…

For example, most organizations don’t want their users installing software or making configuration changes. Simply wanting this prohibition isn’t quite enough, though.

To ensure that the correct versions of software are installed (and nothing else) organizations have gone to great lengths to provide a remote software deployment strategy (our product) which ensures that the right software is installed by administrators.

When it comes to granting standard vs. admin rights, it’s a two-way street – where IT administrators must weigh the balance of usability and effectivness. It’s not as easy as it sounds, but it’s getting easier. For this we can thank… Vista?

OK, that’s a bold statement (and is just begging to be flamed), so please allow me to modify that statement slightly. It’s not so much Vista as it is UAC.

As discussed on this blog in 2009, UAC was designed not so much for users as it was for developers (see more on UAC from Mark Russinovich). To recap, UAC was an effort to get developers to write their applications to run without administrative rights.

The unfortunate outcome of UAC was that screams of outrage which should have been directed to software vendors were instead misdirected to Microsoft.

All is not bleak, however. By the time Windows 7 appeared there were many developers who were churning out products that didn’t require elevated rights.

The report from beyondtrust and the subsequent write-up from Arstechnica will hopefully keep the industry focused on security. When an application unnecessarily requires admin rights, the IT department should communicate this to the vendor and let them know that corporate security policy will not allow their application to be used unless the necessary changes are made.

Unfortunately sometimes it’s easier to move to another location rather than start a needed revolution where you stand. Hopefully software vendors will continue to develop using best practices, and here’s hoping that IT departments worldwide hold their feet to the fire.

Follow @admarsenal on Twitter