Many times users ask why do we restrict use and availability of admin rights for their PCs, given that they own the machines and so should be able to do anything they like with them. Technically, that is very correct, however using a PC all the time with admin credentials poses numerous risks.
As a general rule, users should never need admin credentials to use their PC on a day-to-day basis. 99% of applications in use do not require any privilege elevation, although there are a handful of applications that are badly-behaved/badly-written, and for which users have no option but to run with admin rights. When admin rights are required, such as installing new software, or a new printer, a different account should be used expressly for this purpose.
So, what are the risks of using admin rights?
- Ever-increasing amounts of malware are presented to users on a daily basis – in the form of malicious links in emails and websites. If a user clicks such a link, the ability of the malware to damage the PC and all files reachable – even across the network – is limited when the user does not have admin rights. Clicking such a link when a user does have such rights could potentially disrupt not only the local PC, but potentially all other machines and data files on the network that the admin rights give access to.
- Users with admin rights can and do damage their PCs easily – generally not maliciously, but simply by not being fully aware of the consequences of certain actions. Many times a popup warning will appear, and most users simply ignore these and click ‘OK’, with the result that something has now been done that will forever impact the machine’s operation until manually corrected.
So the end result is that restricting access to admin rights both provides better protection for your PC and your data, and consequently, higher reliability and availability.
If your PC is covered under PASR Managed Services, then PASR will maintain your admin credentials securely, and provide them as and when needed. Simply call or email us, and PASR Support will either assist with the change that requires admin rights, or grant the logged-on user admin rights for a temporary period. Please don’t ask us for permanent access to such credentials, as we will not provide these. PASR is happy to assist at any time such are required, but we have in the past provided this, only to find that they have been provided to a 3rd-party that has gone ahead and done permanent damage – and which we then have to fix. Downtime is then often involved while such problems are corrected, and so again your reliability and availability is impacted. PASR is unable to maintain your systems efficiently when we cannot be confident that unauthorized changes have not been made – and after all – that is what you are subscribing to PASR Managed Services for in the 1st place – to manage your environment for best reliability and data security!
If you are a standalone user, you can protect yourself in the same manner. Make sure you are not using admin rights by default – this is often the initial setting when a new PC is purchased. Go into the control panel and see if your user account is a ‘Standard’ account or an ‘Administrator’ account. If you are an Administrator, create a brand new account with admin rights, and then change your own account type to Standard. As and when you need to make changes that require admin rights, log off and back on with your newly-created admin account and make them – but be sure to log back on with your ‘Standard’ account once done.