Restricting User Desktop Rights Is Critical

by David Friedlander

with Jan Sundgren

and Natalie Lambert

Many organizations grant Power User or Administrator rights to Windows desktop users. However, both access settings pose significant risks. Administrative rights give users full access to install software, change system settings, and expose the organization to information security risks. Power Users can still install most software, change settings, and can modify account settings to create an administrative account.

Granting users extended rights on the desktop will increase support costs by 10 percent or more and create significant security risks. However, some applications or functions only work if users have elevated rights, so IT managers in most organizations will need to make some exceptions. IT should enforce strict policies to limit the number of exceptions and take steps to limit administrative access to desktops for IT personnel and users alike.

The Managed Desktop: A Far-Off Ideal for Many Companies

Based on the nature of the inquiries that Forrester has received over the past year, approximately 30 percent to 40 percent of companies have managed desktop environments where user rights are very limited. Most companies do not have a managed desktop environment or make exceptions for a half or more of the users. Companies may use inventory and software distribution technology to scan the systems and deploy patches or software updates, but the users often have administrative control of the systems. Organizations in regulated industries like banking, telecom, insurance, and healthcare will be more likely to have managed desktop environments. Customer confidentiality and accurate financial reporting are also putting additional pressure on these companies. They are becoming increasingly concerned about client device security, so are more likely to have strong, enforced end-user computing policies and tightly managed desktop environments. Other organizations that have taken a managed desktop approach have done so primarily for cost reasons.

Even companies with a tightly managed desktop environment often need to make exceptions.

Marathon Oil noted that in 2003, it had successfully locked down 90 percent of its desktops. The other 10 percent of the users had retained administrative rights at a cost. Marathon indicated that these users accounted for half of the help desk call volume, and that those trouble tickets were open an average of three times longer than trouble tickets for the managed desktops.¹

Security Risks Posed by Unmanaged Desktops

Unrestricted desktop rights pose a significant security threat to organizations by leaving an opening for internal attacks or inadvertent user mistakes. Issues include:

• User-installed software. File sharing programs, instant messaging software, and a variety of other software can become vectors for viruses or malicious code. Many companies have banned the use of specific types of software in corporate policies but do not enforce the policies.
• Out-of-date system patch levels or virus definitions. If users have administrative rights, they can often postpone updates or accidentally disable functions like virus scanning.
• Laptops as an infection point. Laptops, which are frequently outside the firewall, are more likely to be affected by viruses, worms, or other malicious code. Laptop users are also more likely to have administrative rights and may not have current virus definition files or patch levels.
• Information security risks. If users have full rights to both store data on local drives and copy files off of the system, data could be at risk. More importantly, IT staff members with administrative rights have unlimited access to the files on user desktops. Strict policies regarding who has administrative access and audit trails can limit risks.

Best Practices for Managing Desktop Rights

Ninety percent or more of users should have User rights on their desktop, rather than Power User or Administrator rights. This prevents users from being able to install software or make changes to the desktop other than application settings and preferences.

Using Active Directory or other administrative tools, IT should also lock down browser security settings, and if desired, the desktop background, home page, and other settings. People who should have administrative rights include desktop field support technicians, senior desktop IT support managers, and users when required or otherwise appropriate. In some instances, users legitimately require Power User or Administrator rights, or are executives who are in a position to demand them.

There are some applications that wont function properly unless the user has Administrator or Power User rights. Many older applications that were written prior to Windows 2000 are not designed to work with current Windows desktop security rights, so that software attempts to write to protected system areas in Windows 2000 or XP. Applications with the Windows Compatibility Logo for 2000 or XP should not have this issue.

If users have a legitimate business requirement to install printer drivers, Active X controls, or other software, they will need to be assigned Power User rights. Executives and other laptop users are the most likely to require (or say they require) Power User rights. Unfortunately, laptop users also have greater exposure to viruses and worms when they are outside of the company firewall. This makes it difficult to resolve the fundamental conflict between business and security requirements. IT can limit some of the support issues and security risks by using automated software distribution tools to deliver software and patches to users when they need it.

Companies should also limit which IT personnel have administrative rights to desktops, and who can install software. Since someone with full administrative rights can change passwords, install software, and view any files, administrative rights should be restricted to a small number of IT staff. For example, level 1 help desk personnel should not have administrative rights. In order to limit the risks posed by IT support operations, IT should:

• Not have a standard Administrator account that works on all desktops. IT support personnel should not share accounts. Using a shared account limits managements ability to keep a useful audit log and is simply asking for trouble.
• Never use the default Administrator account for any system. This may seem obvious, but based on discussions with Forrester clients, a majority of companies have not renamed the account. Hackers or internal personnel who wish to compromise the systems will almost always target the Administrator account.
• Maintain unique accounts for each administrator. We know of companies that will share one administrative account across three or four support team members, particularly if there is no directory infrastructure. This is a relatively low level of risk but of course still makes audit logs somewhat less useful.
• Use Active Directory to assign rights and manage IT support permissioning. Using Active Directory or another enterprise directory enables IT to assign administrative rights to specific groups or individuals and even limit administrative rights to a group of desktops or servers.
• Limit access to any software distribution tools. Access should be based on role and scope that is, both the systems a user can manage and what functions they are authorized to use on those systems. For example, a call center manager may legitimately need access to inventory information about the call center systems, but he should not be able to see any other systems or be able to distribute software.