August 13, 2020

Admin Privileges – WST

Are your employees using administrator level accounts for general daily activities?   If so, your institution is quite vulnerable to malware and other targeted attacks.

No daily user accounts should ever have administrative rights to their local workstations.  Full stop.  You may have software that a vendor says, “it needs admin-rights to work,” but the simple fact is that there are so many workarounds for this problem in modern operating systems there just isn’t any excuse anymore.  It should also be noted that Microsoft has considered requiring users have local administrative access to run software to be a serious bug for over 10 years.

Network and system administrators should not have their daily account in a privileged group such as local or domain administrators.  Instead, admins should have separate accounts that they use to elevate their privileges when needed.  When using email, researching problems, or working on a helpdesk ticket, elevated privileges are not needed and can be dangerous if the admin accidentally hits a malicious ad or site while researching issues.  If an admin account is compromised, the bad actor will have full access to all systems and data.  While it may add extra steps when performing admin related activities, utilizing a separate admin account makes the environment significantly more secure.

Past Weekly Security Tips – WST

Go to Top