Reducing Security Holes in Administrative Rights
Friday, May 15, 2009 17:21What is one way that you can reduce or lessen the severity of attacks on the computers you have in your business? The one that comes to mind the most is to not allow yourself or your employees to run their computer with administrative privileges. In the positions that I have held over the years, most employers have given me a computer with administrator or power-user privileges where I can install software and make other system configuration changes. The issue is not so much a trust issue between the company and its employees but is related to reducing the security risk to your network. With administrative or power-user rights, anything I can do using that computer also allows someone else on the network to do. For example, if I can install software, then the spy-ware program or other malicious software can install itself on my computer when I run into it on the network. Does this mean that employees cannot log in under an administrator account to perform some system maintenance or to install a piece of needed software (especially remote workers)? No, it just means when they are using the computer during a normal work day, they should not be logged in under an administrator account.
In Windows XP or Vista, it is not hard to set up a standard-user or limited-user account. Both are similar, just called different names depending on which operating system you are using. According to a recent Computerworld article, if computer users did not have administrative rights, approximately 92 percent of the vulnerabilities found in Windows could be reduced or prevented. I have seen other data stating this same information with a range of 60 percent and up of the security issues which could have been blocked or the impact reduced if users were not running their computers with administrative privileges. The issues of administrative rights should also be addressed when using Linux. Root in Linux is the same as administrator in Windows.
No matter which operating system you are using, a separate user account should be set up for general computer use. Logging in as administrator or root should only be done when software must be installed or some other system configuration must be changed. Lastly, note that even on a blog you should setup a regular user account and not log in as the administrator when just writing a post, responding to a comment, or performing other daily types of task. Additional security details for blogging can be found at the BlogSecurity website. Remember no matter if you are using Windows, Linux or you are on your blog, set up a user account and operate under that user account except for those few times you need to have the administrative rights to install software or handle other such issues.
Related posts: