|
Videos
November 13, 2012 By Paul Kenyon, COO, Avecto
Every organization experiences user frustrations and complications that result in support calls to the help desk. While each call may seem to suggest a unique problem, have you ever stopped to ask whether there could be a common root cause?
While it may seem black and white – the machine works and now it doesn’t – I’d argue that the majority of scenarios can actually be pinpointed to the same problem, just in different "grey" guises. Let’s look at the evidence.
Every day the IT help desk receives hundreds of calls from the user base. While many will be straightforward, with an obvious underlying cause – such as a forgotten password – there will be some that will leave the IT team scratching their heads, sometimes for months. How many of the following sound familiar?
What will resonate is this – the user needs it handled now! But there's another another commonality in many end-user situations: Many users have admin rights, allowing them to make changes to their machines without approval or authorization.
The issue for the help desk is that it can be difficult to pinpoint what exactly has happened, and often the help desk has little to go on. What is evident is that the device isn’t functioning the way it should, but how it got to this state could quite literally be one of a million reasons. Using hypothetical situations to illustrate the point, here are some common scenarios:
The common factor, I would argue, is that your users have admin rights – or at least some of them do. Take the problem with Ron. What has the issue been chalked up to? Is it a printer driver issue or the fact that Ron has the ability to change his settings whenever he pleases? What about Frank – there were so many conflicts that it’s hard to pinpoint exactly which caused the final meltdown, but it's his admin rights that allowed him to tinker with the build.
Ask yourself the same question for each of the other scenarios you face on a daily basis – malware, spyware, Active X, compatibility conflicts, etc. Can you see a connection – how many will have admin rights as the underlying cause? How many open tickets in the system right now would have happened if your user base did not have admin rights?
To give users control of their desktop in a corporate environment, whether public- or private-sector, is bad news. They’ll introduce or change things that can, at best, cause compatibility issues resulting in problematic devices; at worst, they can cause serious security breaches, all of which cost money and time.
Of course removing admin rights is a problem in itself.
If you're too restrictive, users are left struggling to perform every day tasks; if you're too lenient, it could bring the organization to its knees. But it doesn’t have to be that way and, let’s face it, the consequences of admin rights isn’t a picnic either. Here are three steps that will help you strike a better balance:
Group policy
A feature of Microsoft, you can use group policy to control what users can and cannot do on the system. By restricting certain actions, such as blocking access to the task manager, disabling the downloading of executable files, etc., many of the "problems" can be prevented.
Don’t give users admin rights
Having made the decision to remove admin rights, don’t let slowly transfer those rights back to users. Often considered a quick fix, IT will bestow admin rights on users to try and resolve a problem. While it might work in the short term, you’re just creating another in the long term. Instead, a least privilege approach will remove the risk of installing malicious software – intentionally or accidentally – as well as restricting users’ inept behaviour. This means controlling, either manually or with software, which applications and devices can run in your environment.
Talk to users
Introduce customised messaging that allows IT to communicate an appropriate message to the user based on their activity so they know, and understand, exactly what it is that they’re being stopped from doing – and why. It could include, if appropriate, an alternative course of action. This can reduce costly support and improve the user experience.
While on the surface it may seem a knee jerk reaction to remove privileges from all users, just because a few tie themselves up in knots, the reality is it is impossible to support a non-standard user base. So if you want to protect your Achilles heel, then your security mantra needs to focus on effectively managing user rights.
Paul Kenyon is the COO of Avecto, which helps organizations deploy secure and compliant desktops and servers.
Image courtesy of Shutterstock.com
You may use or reference this story with attribution and a link to
http://www.govtech.com/Locking-Down-Administrative-Rights.html
Collaborative Justice: Transforming Criminal Justice Services Through Unified Collaboration
Cloud-Based Services Accelerate Public Sector Adoption of Video Collaboration
I agree that giving admin rights is a mistake and should be avoided. But it does cause problems when users want to change an otherwise benign setting and can't. For example, users here can change their screen resolutions (e.g. 1024x768 or higher); however, they cannot change their DPI settings. So if you want high resolution for crispness at 120 DPI so you can see the fonts better... you can't. You're stuck with 96. So you have to play with your other settings to approximate simply what changing the DPI would do. We also cannot clear our cache. Sometimes web pages don't load properly and we're asked to clear our cache... but we can't. So there's got to be a good balance.
If you have a locked down standard application suite with standardized hardware, by all means. If you have a diverse, specialized organization be very careful.
Locking everything down can also be a source of problems. All users should be able to clear their pcs' caches without waiting for a help desk rep or IT administrator to do it for them. A lot of time can be wasted waiting for that.