Recent blog posts

Remove PC User Rights, Reduce Windows Bugs

By James Gaskin  7 comments

February 05, 2009, 12:13 PM ComputerWorld highlights a security fix that most tech people know about, but few have the courage to actually implement. Quoting a security firm hyping their own product, ComputerWorld's story says Removing Admin Rights Stymies 92% of Microsoft's Bugs. We know that, yet we keep giving Windows users full administrative privileges.

The trick for company management is to accept that they, not users, own the computers. You have a perfect right to configure the PCs the way you want to maximize work and minimize security problems and wasted time. I remember being paid to delete Solitaire from Windows 3.1 systems back in the day, just to eliminate the distraction.

Your users will complain. Here's what you tell them: “It's not your *&#%*&$ computer!” Let me repeat that a bit more politely. The computer belongs to the company, not the user, and you and only you decide what software goes on the computer and when to install it.

Eliminating virus-filled screensavers from KittensGalore or some other site improves security. Eliminating the ability for users to run programs attached to e-mail messages (yes, they've been warned, but they still do it every day) stops many viruses and Trojan programs. Eliminating the ability for users to download some new widget and install it themselves drastically reduces the number of zombie PCs spewing spam and malware in your company.

The improved rights and security handling of Linux systems is one of the big reasons I recommend that operating system to customers. Add in the fact it's almost impossible to get viruses and most spyware when running Linux, and you get an added bonus.

Remember, the PC belongs to the company, and the company must configure the system to protect the company. Users should not be part of that equation. If a user makes a case some new program will really improve productivity (that might be true once in a blue moon), fine. You install the program, then log out of the Administrator username and let them log back in as a normal, restricted but secure, user.

7 comments

    Anonymous 2 years ago
    I'm a home power user, I bought this computer, I bought Windows 7. It took me 2 whole days to configure it to a security level that does keep my data and privacy as safe as I want them without all the annoying warnings and error messages. For most business environments I agree with the writer of this article, but MS made it much too hard to configure to whatever security level is desired by the administrator.IMHO it should be easy to create a very simple policy editor that only shows up once per setup with only about ten to twelve checkboxes. Of course all the detailed settings currently available should remain intact for those who either like to tinker or for very special situation.
    Flag comment  |  Permalink Reply
    Anonymous 2 years ago
    It appears Gaskin has no experience with Apple Macintosh nor the MacOS. The security design of MacOS is far more robust than the elderly, rickety security 'framework' that Microsoft doggedly clings to. Gaskin should visit a Apple store and discover what so many other companies have discovered: there are viable alternatives to Microsoft Windows that CAN run MS Office perfectly well while dramatically reducing the incidence of security problems. I recommend Gaskin visits an Apple store to become more acquainted with this product.
    Flag comment  |  Permalink Reply
    Anonymous 3 years ago
    I'm a computer consultant. I attempt to convince my clients to setup their users as a non-admins. I believe this one practice is the single best security move they can make. Most have heeded my advice, have fewer problems, and lower support bills to prove it. I have one client that hasn't had a virus or spyware related support incident in over three years. I think that alone should be incentive enough to consider this approach. Yes, the users will balk but it's a company system. The threats are coming at them every day and installing software/upgrades is an occasional process. Also this let you truely decide what software will be on the system. So you don't have to consistently monitor/remove undesired software.
    Flag comment  |  Permalink Reply
    Anonymous 3 years ago
    Removing admin rights certain results in less occurances of users creating problems. But a bug in Windows is a bug in Windows. At best, removing admin rights may reduce the number of people who encounter some bugs, because they can no longer access certain types of features of the machine.Note, however, that removing admin rights either has to be accompanied by a policy that staff are not permitted to be productive, or an increase in the number of staff who DO have the admin rights, so that productivity software can be installed on the desktops.There are no free lunches. Many vendors release software which require admin rights to install. Either the company refuses to use the major software packages in the market (including those by Microsoft), or the company developes the procedures to submit requests for installations, updates, removals, etc.While it is tempting to establish policies that restrict software installation, by doing so, you defeat the very reason that computers were brought into the company - to accomplish work efficiently.
    Flag comment  |  Permalink Reply
    Anonymous 2 years ago in reply to Anonymous
    and all the Engineers, Marketing people, Operations and sales can do what they do best, which is engineer, market, run the operations and sell.The problem is that any two-bit PC owner thinks they can do the job of IT, they think the PC is their home system and they don't have the proper training to run a business level Computer environment. What if IT came in and started telling Marketing how to market or Sales how to sell? I am removing admin rights at this time and I dare anyone to make a noise about it. As soon as they do, I will show their management the 1. number of tickets we have from software installs that mandate a high number of IT staff, and 2. the inventory of non-business related software on the company PC that person is using which means they are wasting time and money on non-company business. If people feel the need to install software on a system that is the key to them being productive and as soon as it breaks because of that unauthorized install they come a runnin' to IT with the expectation that we have to drop everyone else's issue and focus on them shooting themselves in the foot, then they should have their admin rights removed.This is, of course, with the approval of management that I craftily had them approve with an internal SLA and with a slow economy, hiring more people is not an option.
    Flag comment  |  Permalink Reply
    Anonymous 3 years ago
    As a power user, I somewhat disagree with the author of this article and the article itself.Yes, I agree that the computer belongs to the company and not the user, however not all departments within the company should be configured the same way.For non-technical users, yes, take away whatever is non essential, but think about a quality control department. Taking away admin privileges will only hinder a normal worday.I'm assuming that all employees are "professionals" and not 'solitaire-players'My two cents.
    Flag comment  |  Permalink Reply
    mburton325
    mburton325 3 years ago
    Yes most IT professionals know this and attempt to implement, however unless you are working for an IT firm upper level management are not IT professionals. Since Management has the final say on computer configuration and all the IT/IS department can do is give a logical arguement on why not give local administrative rights to user. Most upper level management will not agree and inform the department to configure with administrative rights for all users. Even after pointing out the Computer World article I was informed that we are to continue giving full administrative rights to users.IT professional know better but we are still at the mercy of upper level management.
    Flag comment  |  Permalink Reply

      Add a comment

      Post a comment using one of these accounts
      Or join now
      At least 6 characters

      Note: Comment will appear soon after you have activated your account.
      Obscene/spam comments will be removed and accounts suspended.
      The information you submit is subject to our Privacy Policy and Terms of Service.

      ITworld LIVE

      Small BusinessWhite Papers & Webcasts

      White Paper

      Microsoft Volume Licensing Comparison - Small/Med. Business

      This quick-reference document lets small and medium organizations (i.e. those with five or more devices) to easily compare the available Microsoft Volume Licensing programs to create a simple, cost-effective and flexible way to benefit from volume licensing.

      White Paper

      ESG: Oracle Database Appliance: A Simple, Economical Option for SMBs and Independent Software Vendors

      Read this technology overview of a DBMS built for SMBs that provides a rapidly-deployable, highly-available platform at an affordable cost

      See more White Papers | Webcasts

      Answers - Powered by ITworld

      ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

      Join Now

      New questions

      How much will the security flaws in Google Wallet set back the transition to "digital wallets"?
      0 answers
      What mobile apps are the worst offenders to user privacy?
      2 answers
      What are the main advantages/disadvantages of a hybrid cloud model vs. the public cloud?
      2 answers
      How do you bill for independent sales reps in a company IT contract?
      2 answers
      What would it take for you to allow a company to REALLY track all of your web use?
      2 answers
      View more questions

      Ask a question

      Join Now or Sign In to ask a question.
      Ask a Question