One of the most prevalent security risks we encounter is setting users to be local administrators on their workstations. This is usually set up because some important software application requires it, or users need the ability to make certain changes to their workstations – like changing wifi networks or adding printers.
While setting a user as local admin does allow them to do these things, it also allows them to do a number of undesirable actions, like disabling antivirus protection or installing/uninstalling any application on their workstation.
In the not-so-distant past, this was seen as an acceptable risk since any damage was usually limited to the affected workstation. The recent advent of ransomware viruses combined with the discovery of serious networking flaws in Windows has drastically altered that view. Now, a single infected workstation can spread an encryption virus to servers and other workstations within minutes of running an infected email attachment or loading an infected website.
Fortunately, the need for local admin rights can often times be eliminated with a little bit of effort.
- Since Windows 7, Standard users can perform a number of tasks that previously required Administrator user access. If there are specific items needed outside of these tasks, use Group Policy to allow standard users access to those items.
- Many applications that recommend or require local admin access only do so because they need to write to small number of protected folders or Registry keys. Ask an application’s support group if they can provide a list of folders/keys that need to be available for access, and use Group Policy to set the needed rights on them.
It’s also extremely important to keep your workstations and servers updated through Windows Update. One of the flaws that allows the ransomware to spread to other machines on a network has been fixed, but only if machines have installed the update.