Let's face it, computer networks are complicated and keeping them secure depends on a multitude of factors. At the core of this, however, are administrative rights that make it possible to fundamentally alter the configuration of a desktop, its installations and applications. In fact, when you're dealing with admin rights, a slight error can result in a malicious attack on the company's server, potentially compromising the entire network.
But there are some steps that can be taken to mitigate your organization's risk that mostly revolve around taking a “least privilege” approach, meaning end-users can perform their jobs with ease, without compromising the organization's security.
Step 1: Regularly evaluate risk
IT specializes in certain areas that standard users ignore, such as files within the Windows folder and protected parts of the registry. If these are altered without IT knowing – either accidentally or maliciously – it can make the system unstable and increases the risk of data leakage. Regular evaluation of security risks, combined with application whitelisting, is essential in providing that extra layer of defense.
Step 2: Encourage users to have fewer devices
Enterprises must create a balance between the use of personal devices and corporate desktops. If an employee justifies the use of a device, the onus is on the enterprise to establish its compliance with company policy and a clear plan on support responsibility.
Step 3: Move to a managed environment
Lock down machines so that users can only change their desktop configurations -- not the core system. This can save time and money, as it reduces support costs and mitigates lost productivity from network downtime. Leveraging Microsoft Group Policy and Microsoft System Center, for example, will enable the effective deployment of services, such as patch management.
Step 4: Improve end-user experience
When users make system-level changes, they can weaken the endpoint or introduce application clashes. Following the example of devices like the iPad and Android, organizations can catalog a portfolio of programs and applications that are needed and supported. Doing so will help track changes to the system and further secure its core configuration. Furthermore, granting users feedback on activities, rather than completely blocking their access, will result in fewer support calls and reduce privilege creep.
Step 5: Maximize investment in active directory
Most Windows organizations have Active Directory, but few realize its role in achieving centralized management and business-policy driven architecture. There are, however, limits to Active Directory's control and security, so the best option is to bolster security with tightly integrated products. Doing so will provide more granular control, allowing admin rights to be easily removed without impacting end-users and productivity.
Step 6: Improve network uptime
Many organizations fail to recognize the connection between excess admin privileges and lost productivity. For example, without limiting privilege rights, an infected machine could issue an undetected denial-of-service attack, causing a flood of network traffic and bringing routers and switches to a halt. A least privilege environment, not only improves the stability of the desktop, but also improves the quality of the entire network.
Step 7: Regulatory compliance
Many compliance codes state, either implicitly or explicitly, that users should have the minimum amount of privileges to complete everyday tasks. For example, Payment Card Industry Data Security Standard (PCI DSS) states that the organization must ensure that privileged user IDs are restricted to the least amount needed to perform their jobs.
Step 8: Demonstrate due diligence
At its core, this is about educating staff about safe computing. Moreover, taking a least privilege approach shows customers that you're conducting all reasonable measures to protecting their information. Many organizations have been publicly named and shamed for data breaches, damaging their reputations and eroding customer confidence.
Step 9: Analyze support costs
Simply put, secure and managed systems are cheaper to support, which in turn makes security a business enabler as opposed to an initial expense. The provision of a knowledge base and intranet will also help reduce support incidents and, in turn, costs.
Step 10: Reduce complexity
The likelihood of data leakage increases when users are able to make unauthorized and uncataloged changes. Since systems are complex enough without the complications of excess privileges, enterprises should simplify their security posture by replacing local administrative rights with standard user accounts.
Boiling these down to the basics, organizations should implement a security strategy tailored for their business objectives as a vital first step in safeguarding data. Next, removing admin privileges from the majority of users will lower support costs and mitigate security threats.
To maintain productivity, however, this should be done with measured flexibility. After all, introducing a least privilege approach comes down to a logical decision – do you want productivity and security?
