ComputerWorld highlights a security fix that most tech people know about, but few have the courage to actually implement. Quoting a security firm hyping their own product, ComputerWorld's story says Removing Admin Rights Stymies 92% of Microsoft's Bugs. We know that, yet we keep giving Windows users full administrative privileges.
The trick for company management is to accept that they, not users, own the computers. You have a perfect right to configure the PCs the way you want to maximize work and minimize security problems and wasted time. I remember being paid to delete Solitaire from Windows 3.1 systems back in the day, just to eliminate the distraction.
Your users will complain. Here's what you tell them: “It's not your *&#%*&$ computer!” Let me repeat that a bit more politely. The computer belongs to the company, not the user, and you and only you decide what software goes on the computer and when to install it.
Eliminating virus-filled screensavers from KittensGalore or some other site improves security. Eliminating the ability for users to run programs attached to e-mail messages (yes, they've been warned, but they still do it every day) stops many viruses and Trojan programs. Eliminating the ability for users to download some new widget and install it themselves drastically reduces the number of zombie PCs spewing spam and malware in your company.
The improved rights and security handling of Linux systems is one of the big reasons I recommend that operating system to customers. Add in the fact it's almost impossible to get viruses and most spyware when running Linux, and you get an added bonus.
Remember, the PC belongs to the company, and the company must configure the system to protect the company. Users should not be part of that equation. If a user makes a case some new program will really improve productivity (that might be true once in a blue moon), fine. You install the program, then log out of the Administrator username and let them log back in as a normal, restricted but secure, user.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
Preaching to the Choir
Yes most IT professionals know this and attempt to implement, however unless you are working for an IT firm upper level management are not IT professionals. Since Management has the final say on computer configuration and all the IT/IS department can do is give a logical arguement on why not give local administrative rights to user. Most upper level management will not agree and inform the department to configure with administrative rights for all users. Even after pointing out the Computer World article I was informed that we are to continue giving full administrative rights to users.IT professional know better but we are still at the mercy of upper level management.
A tough one
As a power user, I somewhat disagree with the author of this article and the article itself.Yes, I agree that the computer belongs to the company and not the user, however not all departments within the company should be configured the same way.
For non-technical users, yes, take away whatever is non essential, but think about a quality control department. Taking away admin privileges will only hinder a normal worday.
I'm assuming that all employees are "professionals" and not 'solitaire-players'
My two cents.
Removing admin rights does NOT reduce window bugs
Removing admin rights certain results in less occurances of users creating problems. But a bug in Windows is a bug in Windows. At best, removing admin rights may reduce the number of people who encounter some bugs, because they can no longer access certain types of features of the machine.Note, however, that removing admin rights either has to be accompanied by a policy that staff are not permitted to be productive, or an increase in the number of staff who DO have the admin rights, so that productivity software can be installed on the desktops.
There are no free lunches. Many vendors release software which require admin rights to install. Either the company refuses to use the major software packages in the market (including those by Microsoft), or the company developes the procedures to submit requests for installations, updates, removals, etc.
While it is tempting to establish policies that restrict software installation, by doing so, you defeat the very reason that computers were brought into the company - to accomplish work efficiently.