Working as an IT specialist within a large international corporate entity, we had the challenge regarding “Administrative/Non administrative” user rights on our corporate Windows machines. We likely have all faced this question/challenge, we WANT to tighten the machines down to gain the added security and subsequently lower the support need, however the hurdle of preparing for this (as well as maintenance) puts great demand on the planning and deployment of corporate machines/software – especially if you like us have many people in the field.
See if we removed all administrative rights from users, then they would have to call the ServiceDesk whenever they needed administrative rights- this could be to install a printer, software, drivers etc. Now for some very “static” machines this would not be a real big problem, but for a large segment of our users, this would be very annoying and troublesome – especially for users in the field where the ServiceDesk may have problems connecting.
On the other hand, having users not be local administrators is a huge gain when it comes to protection against malware and exploits, according to a podcast “Security Now” on the twit network you can minimize the risk/impact of IE exploits by up to 99+% by being a non-administrative user. In other words, there is a heavy tradeoff here.
Then again, perhaps not anymore – there now seem to be a way to both “have your cake and eat it” at the same time.
One of the very talented external consultants we use on a regular basis “Thomas Marcussen”, recently told me about a FREE cool utility they developed called “Access director for Windows”. What this “Access Director” does is actually simple yet still quite clever, after you install the utility users will have the opportunity to grant themselves temporary administrative rights whenever needed. Therefore, the user account will normally have no administrative rights, however by right clicking the utility icon in your status bar, users can grant themselves a limited period (eg. 2 min) where their user rights are elevated to local admin. Now they will be able to install that printer/driver etc. that they may need to work, and after this period then the local admin rights are automatically revoked and the machine is again secured against malware and exploits.
The optimal implementation of a utility like this would probably be to have a group of “trusted machines” (eg. traveling sales persons, management etc.) where this utility is installed, on these machines users can elevate themselves as needed. Then have another base of “regular” machines (eg. production/office pc’s) where the administrative rights are removed, and the users will still need to contact the ServiceDesk in case administrative rights are required.
Oh yeah, did I remember to mention it is a free utility 😀
I talked to Thomas about corporate use of this utility, and he assured me that several corporate initiatives were on the way like; Ability to customize settings via registry settings, Ability to control who can elevate (via groups) plus a manual. He said that the reason for the lacking documentation was that the release was slightly rushed due to TechEd. There is a little info on some registry settings here; http://sl.readmydamnblog.com/RZdo7J
Anyway, enough talk – take a look at the YouTube video and it will all be clear 🙂
Download site is (look for “Download Access Director”);
YouTube Video here;
Thanks to Thomas Marcussen for this nice utility.