The technical problems associated with using Windows pre-Vista as a standard user, i.e. without administrative privileges, has left an expectation that users should have full control over their PCs, including the ability to install unauthorised software and change key operating system components.
User Account Control (UAC) in Vista and Windows 7 had made it more practical to run with a standard user account and led many organisations to look seriously at removing administrative rights from end users. Yet if not planned thoroughly, this can not only bring unexpected technical problems, but a mutiny in the ranks.
Change and Company Culture
In many companies, the IT department and the value it adds to the business is well respected and employees cooperate to develop the business. But in some organisations, IT may find itself in a position where users resist change at every step and demand an unrealistic level of service and autonomy that has a negative effect on the IT department’s ability to offer a good service.
Before embarking on a least privilege security project for desktop PCs, start by creating a portfolio of services that the IT department provides and outline what users can expect. For example, when a request to install software is made via the helpdesk, what’s a reasonable amount of time that users can expect to wait? What might be the business reasons for rejecting such a request and the justifications? Your portfolio should also contain a list of authorised software and hardware so that the IT department is able to provide a good service when support is needed.
Laying down foundations will make the move to least privilege easier for both the IT department and users. If employees are accustomed to demanding software be installed immediately and escalating requests to managers if they don’t get their way, least privilege on the desktop will be problematic, as software needs to be carefully vetted for compatibility with standard user accounts.
Least privilege is quick and responsive but users will have to be prepared for a new corporate culture where everything is not on instant offer. They will have to be weaned away from ‘fast food software’ and it is best to be honest with them and tell them that any delays are due to a more careful consideration of additions to the desktop. This will make them aware that any delay is not due to IT being inefficient but that their demand may have knock-on effects on others that the organisation must plan for.
A lack of policy on hardware can lead to the company acquiring so many different devices, configurations and drivers that support costs become much higher than necessary. Specifying particular brands that users are permitted to purchase helps minimise support issues because it’s not always the hardware that causes a support issue, all of the software and hardware which an enterprise intends to deploy needs to be thoroughly checked beforehand to ensure compatibility with all other deployed software for all devices and peripherals to function properly.
Getting buy-in from top management
Backing from senior management is crucial for a successful least privilege security desktop project. Management need to understand the business benefits, so presenting data on how IT support costs can be reduced and user productivity increased is preferable to focusing on security and technical benefits. Metrics can be used to present the benefits of least privilege to management in a language they understand and the data gathered from a pilot project where a selection of users run with standard user accounts.
Other benefits that can be pitched to management might include the necessity to comply with industry regulations or meet standards, such as International Organization for Standardisation (ISO), that demonstrate to clients your company has measures in place to protect their data should they choose to do business with you.
This type of standardisation also brings is on to compliance which is a very powerful argument to use of the senior management when talking about the cost benefits of least privilege. Depending upon your industry sector it will be necessary to be compliant with Payment Card Industry Data Security Standards (PCI DSS) if you are a retailer, The Health Insurance Portability And Accountability Act (HIPAA) regulation impacts those in healthcare that exchange patient information electronically and Sarbanes-Oxley (SOX) lays down compliance and corporate responsibility for financial reports.
Desktop refresh projects, i.e. installing a new desktop image or moving to a new operating system, are often used as a vehicle to implement least privilege, helping IT sell multiple benefits and get the seal of security approval. It also increases the chances of getting acceptance from end users, as an operating system upgrade is almost always supported.
There will be users and managers who decide that they should be exempt from the least privilege security project without any genuine business justification. It will be at this point that upper management must show their resolve and ensure that there are no exceptions without a valid business reason.
Communicating the benefits of least privilege to end users and fully justifying why the decision has been taken to restrict use of administrative rights on the desktop will help ease the transition to a least privilege desktop. Employees should understand how running as a standard user can increase productivity, improve the company’s bottom line and protect customer data. Here’s an analogy that you can use to help your argument:
In the same way that the Highway Code maps out the behaviour society expects of us on the road, least privilege security on the desktop provides rules while enabling users to carry out their responsibilities while maintaining the performance, security and reliability of the PC so that tasks can be completed in a timely manner without crashes or breakdowns.
Users respond negatively if privileges are removed without explanation. In companies where IT policy hasn’t been enforced or where users expect to have full autonomy over PCs, the transition to least privilege desktops must be carefully planned so the IT department doesn’t face a user revolt. Make sure you set users’ expectations accordingly and before they arrive to work one morning to find their administrative privileges have been removed.
Secure and Flexible
If it’s difficult to share files, users find workarounds even if it breaks company policy, such as telling colleagues their account passwords or using removable USB drives. IT policy should be balanced so that users can do what they need without any significant barriers in the way, and that applies equally to security.
By applying a well-documented least privilege policy with a proper education program when it is introduced to ensure that staff realise why it has been put in place organisations can ensure against many data breaches. The latest privilege management technologies can act as a powerful tool to empower organisations to remove administrative privileges from end while at the same time ensuring that the end user experience is not negatively impacted. With the use of application whitelisting and the ability to customise UAC prompts, these solutions can further help to secure PCs and at the same time maintain the flexibility and customisation that users have become accustomed to.
In a world of social media where bring your own device into the enterprise has led to many critical failures it is essential that staff realise the damage they could unintentionally cause by seemingly innocuous changes to their desktops. It is important to have a policy in place because many employees will have friends in other enterprises which are not as security conscious when he can bring their smart phones in and use Dropbox with impunity. Once the dangers are outlined and they realise they are being treated like adults these fears will drop away.
Posted by Paul Kenyan, COO, Avecto