Admin Rights - Your Achilles Heel

Wednesday, October 31, 2012

Paul Kenyon

942a200514c2a9d79858ce6355c40614

Every organization experiences user frustrations and complications that result in support calls to the help desk. While each call may seem to suggest a unique problem, there could be a common root cause amongst them. Help desk calls often seem to be black and white – the machine works and now it doesn’t - I’d argue that the majority of scenarios can actually be pinpointed to the same problem, just in different “gray” guises. This, I believe, is the Achilles heel for many organizations, especially small businesses. Let’s look at the evidence.

Every day the IT help desk receives hundreds of calls from its user base. While many will be straight forward, with an obvious underlying cause (such as a forgotten password), there will be some calls that leave the IT team scratching their heads, sometimes for months. How many of the following sound familiar?

§    It worked yesterday but today it doesn’t!

§    It’s gradually been getting worse but now it seems to have stopped!

§    I don’t know what I did but now nothing is happening!

§    My machine won’t turn on!

§    It says it’s a compatibility issue!

And what seems to be the common thread amongst these all of these complaints? Each person needs his or her problem fixed now! But the commonalities most likely go even deeper.

The Calls Keep on Coming

With little else to go on, it can be difficult for the helpdesk to pinpoint what exactly has happened. What is evident is a device isn’t functioning the way it should, but how it got to this state - well, that could quite literally be one of a million reasons. Using hypothetical situations to illustrate the point, here are some common scenarios:

Ron in accounts is having trouble with his printer. Yesterday, his laptop easily connected to the Canon Deskjet in his office, but today it won’t. After unsuccessfully trying to fix the problem himself, Ron calls the support desk for help. What he fails to mention (because he doesn’t actually see the connection), is last night he installed a driver so he could connect to his home printer. Eventually, he pieces together the connection between last night’s antics and this morning’s problem, allowing him to rectify the issue, print, and get on with his day -- until he prints at home again.

Frank in dispatch has a computer that has been giving him trouble for months, but he just can’t seem to sort the problem. It all started when he was prevented from opening an attachment. He thought he resolved the issue himself, without troubling the help desk, by downloading some software from the Internet. As IT investigates further, it’s revealed that Frank has been making similar little tweaks to the system for months. Each new modification has inadvertently clashed with other elements, eventually causing the system to crash. The extreme solution he’s left with is to rebuild the device completely.

Susan in HR is distraught – she doesn’t know what’s happened with her computer. The last thing she did was open an attachment from a friend and suddenly, everything on her screen disappeared. After a lengthy investigation, a virus is blamed, but it’s a mystery how it slipped through the anti-virus security net that was recently patched. What wasn’t immediately evident, but later became clear, is that Susan had switched off her automatic anti-virus upgrades because they took too long.

The Common Factor

I would argue that many of these problems have one common factor: these users have admin rights, or at least some of them do. Take the problem with Ron - what had the issue been chalked up to? Was it a printer driver issue, or the fact that Ron had admin rights? Or, consider Frank’s scenario – there were so many conflicts he experienced, making it difficult to pinpoint exactly which caused the final meltdown, but ultimately, it was his admin rights that allowed him to tinker with the build in the first place.

Ask yourself the same question for each of the other technical scenarios you face on a daily basis – malware, spyware, Active X, compatibility conflicts, etc. – and see if you can make a connection. How many will have admin rights as the underlying cause? How many open tickets in the system right now would have happened if your user base did not have admin rights?

Giving users control of their desktops in a corporate environment is bad news. They’ll introduce or change things that can, at best, cause compatibility issues resulting in problematic devices. At worst, they’ll cause serious security breaches, costing both money and time.

Solving One Problem but Creating a Nightmare

Of course, removing admin rights is a problem in itself. If rights are too restrictive, users are left struggling to perform everyday tasks. If you go too lenient, the consequences could bring the organization to its knees. But, admin rights do not have to exist at either extreme. Here are three steps to help you strike a better balance:

Group Policy

A feature of Microsoft, you can use group policy to control what users can and cannot do on the system. By restricting certain actions, such as blocking access to the task manager, disabling the downloading of executable files, etc., many of the help desk’s incoming “problems” can be prevented.

Don’t Give Users Admin Rights

If you’ve made the decision to remove admin rights, don’t let them seep out. Often considered a quick fix, IT will bestow admin rights on users to try and resolve a problem. While it might work in the short term, you’re just creating another, perhaps larger, headache in the long term. Instead, a least privilege approach will remove the risk of installing malicious software – intentionally or accidentally, as well as restricting users’ inept behaviour. This means controlling, either manually or with software, which applications and devices can run in your environment.

Talk to Users

Introduce customized messaging that allows IT to communicate an appropriate message to users, based on their activity. This way, users will know and understand exactly what they are being stopped from doing – and why. It could include, if appropriate, an alternative course of action. This can reduce costly support and improve overall user experience.

When a few employees tie themselves up in knots, organizations may feel a knee jerk reaction to remove privileges for all users. But, the reality is, it’s impossible to support a completely non-standard user base. So, if you want to protect your Achilles heel, then your security mantra needs to focus on effective management, rather than restriction, of user rights.

Possibly Related Articles:
9404
General Budgets Enterprise Security Policy Security Awareness Security Training
Access Control Network Security SysAdmin IT Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.