Desktop security can be very frustrating for IT professionals as we try to find the delicate balance between security and user experience. Most end users take things for granted and don’t realize the potential danger that lays in wait in advertising and other lovely pop-ups that warn of impending doom of their computer or hard drive that must be saved by this “free” software!
For those that wonder how this may apply to nonprofits, just remember that productivity is just as vital (if not more) in the nonprofit world as it is in the corporate world. Having lost time due to a virus outbreak is annoying, but lost or stolen data, downtime because your ISP has turned off your internet access due to SPAM emails being sent out, etc. is much more than just annoying. It can take a lot of time to rectify the virus problem, and that doesn’t include the network cleanup, ISP phone calls and calls to customers or donors letting them know their data was either lost or stolen.
Antivirus software such as Symantec, ESET NOD32, or my personal favorite, Vipre Enterprise, can only do so much with a persistent user who really wants to install that free software. There’s only one sure way to prevent that software from being installed – and that’s to prevent the user from installing it at all.
This is probably one thing that most IT staff (volunteer or paid) get soft on with their end users – local admin rights. Being a local administrator, for those that don’t know, gives you the “keys to the castle” to make all system/registry/file changes, which also allows any software you install to make those changes. Virus, spyware and other malicious software (well, all software, actually) will run within the security context of the logged in user. This means, to continue the key analogy, that any virus that attempts to run on your computer has access to everything door/room that you do. Microsoft notes this on many, if not all, of their security patches in a statement similar to this:
“An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
For management, power users and even IT personnel, it’s fairly often that software needs to be installed, updated or system changes made for a variety of reasons, so local administrator access is really the default in most people’s network configuration. Step 1 – Join PC to Domain, Step 2 – Add user to local Administrators group. The alternative is to log off and then log back in with an administrative user to make any system changes. This is not only annoying, but it’s also inefficient. However, virus outbreaks, as I noted earlier, are much more costly.
In my network, I apply the following principles: 1) No local administrators unless a specific application requires it (there are some older applications that do require it).; 2) Use Restricted Groups in Group Policy to assign workstation administrator accounts (that are not domain administrators) to all PCs within the domain.; 3) Use Vipre Enterprise for antivirus and malware protection.
Restricted Groups are a very powerful tool in Group Policy to assign users to specific groups on a local machine, but they must be used carefully. Restricted Groups is a wipe/replace setting, which means that any user(s) you put in the local Administrator group will replace the existing users. So be sure to add the “Administrator” account in addition to any domain accounts you would like to add to the Administrators group. More information is available from Microsoft here (http://technet.microsoft.com/en-us/library/cc785631(WS.10).aspx).
For those that don’t have any special applications that require administrative permissions can feel free to quit reading now, as I know this is long-winded. But for those that want to implement these security measures but have some older applications that require local administrator access, keep reading for tips on that.
Continue reading “A discussion on desktop security”