Microsoft releases new security updates every month, but a new report from UK security firm Avecto suggests that the majority of system threats could be prevented, or at least lessened, by the removal of employee admin rights. The security firm analyzed each security bulletin published by Microsoft in 2014 and found that 80% of the 242 security exploits were reliant on users with administrative access rights.
User access rights are an area of computer security that Microsoft has struggled to improve for years, but which are often misunderstood or ignored. When a new user account is setup for a computer certain privileges can be assigned or denied to the account. Admin privileges are mostly concerned with the ability to install new programs and make changes to system settings. User access restrictions not only do they deter the installation of unneeded software, but they also make it more difficult for malware and viruses to take effect. Many cyber-criminals will specifically target privileged user accounts because it gives them unrestricted access to system and network settings, which give them faster access to the information they are after.
As a standard rule, admin rights should not be given to users on business machines. However, before you rush off to remove your employees’ admin privileges, it’s important to review your individual systems. Some systems can make it difficult to remove admin rights without severely damaging the productivity of your employees. Some older, or poorly written, software won’t function unless a user has full admin rights. In these cases your first objective should be to check for updated versions of the software or consider a full upgrade to your business operating systems. Older software is more likely to have unpatched security faults, so upgrading is always preferable to time consuming and risky workarounds. In cases where a viable upgrade option is not available, you should consult with your IT provider and see what other options may be available to your business.
One last reminder, while removing admin rights from unwarranted user accounts will improve your overall security; it is NOT a replacement for standard patching practices. Some vulnerabilities can only be mitigated with a full security patch and it should always be your first priority to install security patches in a timely manner.
– Richard Keene
IT Computer Support of New York
Webmaster and Lead Designer