Wednesday, 17 November 2010

End-users with admin-level access put your network security at risk

Security Adviser columnist, Roger Grimes, has another article on Least Privilege Security at InfoWorld. Not only does he speak about standard user accounts, but also about the advantages of application whitelisting software.

Roger also mentions that Least Privilege Security can help reduce support costs on desktop computers:

Locked-down desktops have few support issues since users aren't installing buggy, unapproved apps, slowing down their systems, and throwing up blue screens all the time. Plus, they require less troubleshooting and fewer rebuilds.

I would also concur with the following statement:

Of course good, updated antimalware defenses are needed. I may not be a huge fan of the increasingly less-accurate antivirus software, but it's worth installing and using in most scenarios. They may not be 100 percent accurate, but they catch bad elements.

AV software should not be your first line of defence, it’s simply not effective enough to protect users in today’s threat environment.

Something I’ve also written about myself at Windows IT Professional in the past is domain isolation. Desktops shouldn’t need to talk to other desktops for instance, and creating security domains can help to prevent the spread of malware in the case of an outbreak:

I am a strong advocate of security-domain isolation, restricting workstations and servers so that they connect to only what they need. It can be accomplished using myriad methods, including routers, firewalls, VLANs, IPSec, and other avenues of logical separation.

1 comment:

derekm said...

I can't agree more! I have been solving least privilege for small, medium, and large companies using BeyondTrust PowerBroker ( and it works perfectly! It allows standard users to run any feature, install apps, run apps, and install ActiveX controls (which all require local admin privileges) while the user remains a standard user! Works perfect!

Derek Melber, MVP