Should Users have Admin Rights?
I Want Local Admin Rights for all my smart users!
What are “Local Admin Rights” for computers, and do I want my end users to have them?
Every time you log onto your computer, you’re doing so with your “User Account”. That’s not just your user name and password. It’s all of the settings specific to your account. Some of it’s about how programs should behave. Some of it’s about security.
And one of the most important settings about your User Account? Whether you have…”Local Admin Rights”.
If your account has these rights, you can essentially do…anything…to your computer. Install and uninstall programs. Install other components. Change anything. Add other users. Oh, and delete other users as well. Change passwords. Patch and update pretty much any part of the system. Heck, nuke the entire system.
Local Admin Rights Rule!!!
But here’s the problem. Actually there are two problems.
First is the “whoops” factor. Basically you can easily change or remove parts of the system that you really didn’t mean to. Delete Office (don’t say you haven’t ever considered it). Remove all your documents. Install a new program that completely mucks up your system. We’re talking about accidents.
Second is more nefarious. The bad guys love to present themselves are things you should install or run. Let’s say it’s a screen saying “You’ve been infected, click here to remove the malware”. Click it, and…you’ve just installed the malware yourself. If you didn’t have Local Admin Rights? Odds are the malware wouldn’t be able to do a thing (this isn’t always true).
Most organizations have taken the logical step of removing local Admin Rights from their end users. And this can be annoying. Every time an end user legitimately wants something installed? They have to contact IT (whether it be internal employees or a Managed Service Provider like Simplex-IT) and wait for them to take action.
Absolutely impacts productivity.
But not as much as end users accidentally infecting their machines with malware.
And we’re finding (and creating) more and more ways to either automatically push out software, including patching and updating, to our client workstations. To preemptively handle these updates. And ways to automatically install common software, so the solution is actually a lot faster than it used to be. And to do these things with little to no impact on the end user.
There are some people who take losing their local Admin Rights personally. As if it demonstrates a lack of trust. But many cyber insurance providers are requiring their customers to remove local Admin Rights for their end users.
For good reason.