The Right to Self-Administration vs. Principle of Least Privilege

Small business, college, and non-profit personnel tend to have administrative rights on their work machines. Bad move IT! Most computer users want to do, what they want to do, when they want to do it; treating their work computer as their own personal computer. Often these very same users have little understanding and/or complete disregard for the due diligence  required when handling computer information systems. Leadership must make it a priority to  inform end-users of computing issues and provide adequate training. In addition policy and procedure must be implemented prohibiting end-users from putting computer networks and information systems in jeopardy.

Self-administration has its benefits and detriments. It gives end-users the benefit of being able to instantly install applications and/or modify the computer system to meet their own needs on their own time. This  eases the load on the IT helpdesk and IT administrators, allowing end-users to perform trivial tasks such as third-party software updates, or plugin-installation. However this same ability opens up each endpoint to potential exploitation.  Running a system as an administrator allows black-hat hackers to easily drop a malicious payload into the system. Often, the end user is duped into allowing the system to be compromised. Seemingly legitimate e-mails may contain links to malicious content. Seemingly legitimate files may contain malicious code or executables unbeknownst to the end-user. It is quite easy to fall prey to phishing schemes or to click seemingly legitimate web links to pages containing scripts that can deliver malicious payloads to the system. When logged in as an administrative user, opening a file or link with hidden malicious content through Adobe Acrobat, Flash, Microsoft Word, web browsers, etc., may execute this code. This may allow the malware to compromise the system. To mitigate against malicious attacks, proper administration of computers and networks is necessary, however more costly. Proper administration calls for the elimination of end-user privileges, putting administrative decision making in the hands of those who are knowledgeable in the field of information technology and security.

Often, end-users become disgruntled at the thought of having their administrative rights curtailed. However, adhering to the principle of least privilege is a benefit to all. Allowing end-users to be administrators basically lets them treat their work computer as if it were their home computer. Kindsight Security Labs, in an April 2012 study, reported that 13% of all Windows and 7% of all Macintosh home computers are infected with malware.  If these computers were office computers or home computers used to access organizational information the ramifications could be vast.

The tendency to use a work computer as a personal computer with administrative privileges not only puts end-user banking information, credentials, and other personal information at risk, but there is significant risk to the organizational information.  Granting administrative privilege to technically unqualified and conceptually unaware end-users should be restricted. The computers of end-users with administrative permissions are often compromised. Such compromise, can result in significant down-time causing lack of productivity, increased financial liability and additional burden on human resources. Data leakage could lead to a tarnished image in the press and exposure to law suits. The list goes on.

Security is everyone’s obligation. “If you see something, say something” just doesn’t cut it in the digital realm. Pro-activity from all stakeholders is required. Precautionary technical measures ought be implemented. End-users need to be trained about the issues at hand, the risks, ramifications, and how to avoid them. The security firm Beyond Trust claims that a review of the Microsoft security bulletins showed that 90% of Microsoft vulnerabilities would have been thwarted by implementing the principle of least privilege. Implementing policy and technical controls allows an organizations’ administrative team to have greater control over their systems, minimizing risk. Specifically, eliminating end-user administrative control will necessarily, and immediately give an organization a better security posture.

Leave a Reply

Your email address will not be published. Required fields are marked *