In many organizations, End users are generally found to have administrative privileges over their desktops and laptops. But this could turn out to be one of the most potent IT security risk faced by the organization.
A new study by BeyondTrust found that 92% of critical Microsoft vulnerabilities could have been stopped or mitigated by stopping the practice of giving users “Administrator” rights. Users who login with Administrator rights are at far greater risk from Malware than those that don’t. The study also found that these users are responsible for far more help desk and service calls than users who login with “user” level privileges.
The study concluded that “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.” The study also found that eliminating Admin rights would have stopped or mitigated:
94 percent of Microsoft Office vulnerabilities reported in 2008
89 percent of Internet Explorer vulnerabilities reported in 2008
53 percent of Microsoft Windows vulnerabilities reported in 2008.
Further illustrating the benefits to enterprises of removing administrator rights from users, a recent Gartner report states, “The Gartner TCO model shows a significant reduction in TCO between a managed desktop where the user is an administrator, compared with a desktop where the user is a standard user. Among the most remarkable observations is that the model shows a 24 percent decrease in the amount of IT labor needed for technical support.”
Restricting end users from having administrative privileges to their desktops and laptops is one of the basic IT Security initiatives, but is rarely implemented. Given the general laxity in patch management, many of the Zero day threats become more potent when administrative privileges are available with end users as viruses and malwares rely on such privileges for propagation.
Apart from the IT Security angle the above studies also bring the element of reduced help desk calls for non-administrative level users.