Written by: Daniel Haurey on 11/20/14

Most Windows computer users, by default, are granted administrative privileges or “admin rights” to their PC that allow them to access administrative functions, such as installing software and changing various Windows settings. This privilege, however, can be the catalyst for far greater risk than benefit, as it is the very privilege that could lead to serious virus and malware infections and catastrophic data loss.

The average business computer user does not require Windows administrative privileges to effectively execute their daily functions. In the event that a program must be installed, or an administrative setting changed, it is important that those changes be managed via a separate Windows administrative account, preferably by someone savvy enough understand the impact of the installation. This is referred to as the “Principle of Least Privilege” (or PoLP), which dictates that users have only the minimum privilege required to perform their job. Extra privileges means extra responsibility and the risk of crippling that PC, or worse, the entire network.

Let’s take some non-IT examples. Consider your workplace:

  • Does every employee have a master key, allowing them to get into any and all rooms, offices, closets, safes, on the premises?picture of a safe
  • Does every employee have the ability to sign contracts and enter into new business agreements or hire new employees?

The above examples could be potentially more of a risk than administrative privileges over a desktop PC, but consider the example where a user has administrative rights over their PC, and that PC is compromised by some form of malware. That malware in turn is used as a springboard to launch an attack against the company’s IT infrastructure. Once compromised, all company data could potentially be available to the attacker. The rationale for not allowing administrative access rights to all computer users is as follows:

  • Administrative rights give users the ability to install, modify and run any program on their local computer. Often times, non-tech-savvy users download and install “freeware” or “shareware” which seem innocuous but are loaded with harmful malware or productivity zapping adware.
  • Viruses, spyware, and rogue programs leverage those administrative rights to install and propagate themselves throughout a network.

The notion of removing administrative privileges from end user computers is sure to be met with the question “what if we need to install a new program?” In a managed computing environment in a business setting, the appropriate answer is, have your help desk install it for you. While this may sound a bit laborious, it is the conservative and safe approach in an increasingly dangerous cyber-universe. Allowing users to install their own software is simply an avenue for security holes. Most software, once installed, requires no further administration, and as such requires no administrative privilege.


Sort of Technical