3 Reasons to Stop Giving Employees Local Administrator Rights

Table of Contents

To folks in the IT industry, this rule is pretty elementary. So if you’re one of those business owners, or you have employees and you think it’s just too much of a hassle to take away their local administrator rights, this article is for you.

It’s About Control – But Not in a Bad Way

Well, control is definitely part of it – but not in the way you might think. It’s not about a boss keeping his thumb on an employee. Let’s at least assume that your employees are trustworthy, and just want to do the best they can for the company. Sure, this may not always be the case, but we’ll tackle the insider threat in a future post.

What it is about, is limiting the amount of damage that can be done by an inadvertent click or seemingly harmless piece of software downloaded from the Internet.

security eye iris scanner local administrator rights
Image by Thomas Breher from Pixabay

1. A Local Administrator Can Install Software Without Approval

While most employees who install a piece of software do so out of an intention to make their job easier, without control of the software running on your systems, you expose yourself to untold risks.

It’s unlikely any employee will research the reliability and security of a piece of software they download. In addition to that, you may find yourself using unlicensed software that could cost you down the road due to software piracy.

As a business owner, the legal responsibility for what runs on your systems ultimately lies with you – even if you don’t know what’s on them.

2. A Local Admin Can Accidentally Make Detrimental System Setting Changes

A lot of power in the hands of the untrained, can wreak havoc. A local admin may end up disabling Windows Updates while trying to change a power setting, ultimately leaving their system unpatched and vulnerable. They could delete important system files rendering a computer unusable – and what if that computer has important data on it?

3. A Local Admin is More Likely to Launch a Malicious Script or Virus

When I worked for an aerospace company, we got hit with a ransomware worm that would have been stopped if the employee who opened the email attachment didn’t have local administrator rights. Since the employee did have local admin rights, she was able to just click “OK” on the Windows User Account control window and launch the worm (she thought it was a .pdf invoice).

The Benefits

While some benefits are obviously stated in the previous section, there are some additional ones to consider.

industry word cloud
Image by Gerd Altmann from Pixabay

Your IT Staff Will Thank You

While it may seem at first, that you will increase the workload of your IT staff if they have to help every employee who needs to perform an administrative function, it’s actually not true. In fact, troubleshooting becomes much easier which will more than make up for the additional time vetting requests that require a local admin to move forward.

When I worked on a help desk, our users didn’t have local administrator rights. What that meant for us was that when we got a call from a user saying something was broken, we could eliminate over 90% of the possible causes simply because the user wouldn’t have had the ability to execute them. Issues were fixed quicker and we could move onto the next task.

Your Bottom Line Will Thank You

Huge monetary losses incurred by viruses and ransomware can severely damage your business. The ransomware attack I talked about earlier? That cost the company over $800,000 in lost production – and it could have been avoided by removing the admin rights from someone who didn’t need them in the first place.

Final Thoughts

You might get some initial push back from your employees when removing admin rights. And to be fair, there may be a few legitimate employees who really need it. For those, consider extra training and a higher level of accountability before giving in and handing over the keys to the castle. In the end, your business will reap the benefits.

Sharif Jameel is a business owner, IT professional, runner, & musician. His professional certifications include CASP, Sec+, Net+, MCSA, & ITIL and others. He’s also the guitar player for the Baltimore-based cover band, Liquifaction.

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on whatsapp

Leave a Comment

Your email address will not be published. Required fields are marked *

If you found this article useful, please consider helping us out and subscribing to our mailing list. We won’t spam you. We rarely send more than a few emails each year and you can always unsubscribe.

Subscribe

* indicates required
/ ( mm / dd )
Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on reddit
Reddit
Share on whatsapp
WhatsApp
Scroll to Top

This website uses cookies to ensure you get the best experience on our website. We'll assume you accept this policy as long as you are using this site.