From time to time we are asked to give users the ability to perform certain actions on their computer, such as the ability to add, remove or make changes to software programs or settings. This can not be done in a very granular way and so when we are asked to make this so, we typically have to bring up the subject of “Admin Rights”. This page discusses briefly what Admin Rights are and why we do not recommend giving any users admin rights on your business network.
What Are Admin Rights?
When we talk about users having “Admin Rights” what we generally mean is for selected users be granted the ability to make changes to their computer equipment without oversight from the IT function. Amongst other things, admin rights would allow a person to add programs to their computer, remove programs from their computer, look at files that other people have stored on their computer, adjust security software and make other configuration changes that could be detrimental to the integrity of the network as a whole.
The Implications of Granting Admin Rights…
Although it is rare for users to perform malicious actions to the computer network (this is more common in the days after you have fired someone!) it is common for users with admin rights to perform unintended actions to the computer network. While users may agree not to make certain changes, if that person were to be exposed to a phishing email or a hack attempt, the computer network is at greater risk because some viruses and malware will need admin rights to run and spread. Giving users admin rights is – for these reasons – against best practice. In the computer support world this is called “The Principle of Least Privilege”. The simple act of innocently installing some inconsequential file sharing tool such as DropBox can have significant impacts on where your data is stored and can at a stroke make your privacy policy worthless. In deciding whether or not to grant users admin rights you are basically making a policy decision between convenience or security.
If you value network security….
Removing admin rights mitigates 97% of critical Microsoft vulnerabilities and so is the “default” position we take for customers with a client / server setup. Having this policy in place means that your systems are more secure, more stable and more reliable. It means users cannot simply install software on systems which could cause instability, a security issue or even a licencing issue where the directors have a liability for compliance. Recommended security schemes such as Cyber Essentials require that admin rights are restricted to a limited number of authorised individuals. The following sites are examples of discussions on the topic:
- https://www.greenhousedata.com/blog/should-you-allow-windows-users-to-have-administrative-rights
- https://community.spiceworks.com/topic/195075-reasons-why-domain-users-should-or-should-not-have-local-admin-rights
If you value convenience….
While we do not recommend this approach, we will when requested grant individuals at your site admin rights either on their own computer or on multiple computers as long as you understand the implications of doing so. You must take extra care that any users with admin rights must have been given a robust usage policy and cyber awareness training to ensure they will not fall foul of company policies and on the understanding that this weakens network security significantly.
Updates that need admin rights to run.
From time to time we do see software which is designed in such a way that admin rights are necessary for updates to be performed. For example, Sage 50 and Sage Payroll is not a product that has been written to update without admin rights and this therefore requires external support to install. While this may be inconvenient, you might like express your frustration to Sage, though there are valid reasons why software like Sage should not update without oversight from your IT function. In our Sage example – at a site with several Sage users – updates should be planned in as to ensure your data is not accidentally upgraded at an inconvenient time and users that have not upgraded are locked out of Sage ads a result.
Software that needs admin rights to run.
From time to time we come do come across situations where some software will not work at all without admin rights. This is typically because the software has not been written to a suitable standard (dare we say it, badly written?). In this scenario you have a number of options – anything from not using the software to putting the software inside a virtual machine or sandbox environment. Of course this does add to ongoing costs. The last resort (and the quickest solution) is to simply grant the user admin rights. In this scenario the employer must ensure they have appropriate knowledge in respect of your IT User Policy and are refreshed on it frequently.