Giving up your rights
Most of our clients are small/medium sized businesses on a Managed IT Service program. Often, end users will ask: “Why can’t I install X by myself?”. This isn’t so much a result of the user being a problem as it is a result of years of big name vendors selling cheap systems and not bothering with security. Until Apple’s big comeback somehow made a locked-in ecosystem acceptable to the average consumer(to the dismay of the founders and creators of the technology it’s built on), users got confortable being able to do anything they wanted to their system. While we’re hackers at heart and always want the option to tinker, it’s not really appropriate in a business environment.
Limited User Accounts
While this isn’t such a concern with the newer OS X and Windows 7/8, I dug up this Washington Post article from 2006 on one of the simplest things you can do to secure your PC. The first account you configure on a PC is generally a full administrator. This means you can do anything you want, good or bad.
While Windows Vista and OS X introduced us to things like User Account Control, creating a “buffer” when taking actions that modified the system, it’s still too easy for unintended consequences that cost you time and money later on.
Limited User accounts prevent
Changing computer configuration
Accidental deletion or modification of data and programs
Malware from installation, especially when surfing
Kids and corporate users from installing software of any kind;
Using the computer for other purposes;
Theft of information or intellectual property;
For a long time, this simple change that provided huge improvements in security ended up creating problems for users, thanks to poor design by Microsoft and lazy third-party developers. Even Intuit took years to update their Quickbooks packages to become compatible with the LUA methodology (I think they got around to it in their 2010 version).
The cost of free software
There’s plenty of great free software out there (often better than paid stuff!), but you need to know what you’re installing. But popular packages like VLC or OpenOffice are frequently viewed as attack vectors for malware or bloatware(those stupid toolbars and popups).
If you don’t know where to download the original files, its easy enough to click the wrong link in a Google search and download a copy with something bundled it. If they’re nice, there’s probably a tiny check box buried in the install screen you can un-check, but its probably very easy to miss.
At the end of the day, our arguement is simply that it costs less to have an IT pro handle it while you sit back and relax (or more likely just work on something else). Does it really pay for you to spend time tracking down the right program or cleaning up junk from your PC later? (Our secondary arguement: exactly why is a user constantly installing programs? Is that part of their job description?)
A more delicate problem is the question of who gets admin rights (of course assuming we’ve set up a separate admin accounts for such purposes).
The problem here isn’t that we’re trying to single out an individual; we rather like most of our clients. The purpose is to prepare for the unknown. For example, if a policy is in place and followed, then it’s less likely you’ll
- find out the hard way that your new hire isn’t such a nice person after all (at least not at the expense of your data)
- realize you just spent two hours looking for a program to open some obscure video format
- click the wrong download link and end up with a threat from the “FBI” that will “go away if you pay $50″
We hope this helps sway business owners to err on the side of caution when it comes to users and admin rights. This isn’t my position or even just our company’s position, it is considered standard practice in responsibly securing a network.