Last updated on December 19th, 2019 at 10:46 pm
This post is for those business owners who think that logging in using a local admin account is no big deal.
To folks in the IT industry, this rule is pretty elementary. So if you’re one of those business owners, or you have employees and you think it’s just too much of a hassle to take away their local administrator rights, this article is for you.
It’s About Control – But Not in a Bad Way
Well, control is definitely part of it – but not in the way you might think. It’s not about a boss keeping his thumb on an employee. Let’s at least assume that your employees are trustworthy, and just want to do the best they can for the company. Sure, this may not always be the case, but we’ll tackle the insider threat in a future post.
What it is about, is limiting the amount of damage that can be done by an inadvertent click or seemingly harmless piece of software downloaded from the Internet.
1. A Local Administrator Can Install Software Without Approval
While most employees who install a piece of software do so out of an intention to make their job easier, without control of the software running on your systems, you expose yourself to untold risks.
It’s unlikely any employee will research the reliability and security of a piece of software they download. In addition to that, you may find yourself using unlicensed software that could cost you down the road due to software piracy.
As a business owner, the legal responsibility for what runs on your systems ultimately lies with you – even if you don’t know what’s on them.
2. A Local Admin Can Accidentally Make Detrimental System Setting Changes
A lot of power in the hands of the untrained, can wreak havoc. A local admin may end up disabling Windows Updates while trying to change a power setting, ultimately leaving their system unpatched and vulnerable. They could delete important system files rendering a computer unusable – and what if that computer has important data on it?
3. A Local Admin is More Likely to Launch a Malicious Script or Virus
When I worked for an aerospace company, we got hit with a ransomware worm that would have been stopped if the employee who opened the email attachment didn’t have local administrator rights. Since the employee did have local admin rights, she was able to just click “OK” on the Windows User Account control window and launch the worm (she thought it was a .pdf invoice).
While some benefits are obviously stated in the previous section, there are some additional ones to consider.
Your IT Staff Will Thank You
While it may seem at first, that you will increase the workload of your IT staff if they have to help every employee who needs to perform an administrative function, it’s actually not true. In fact, troubleshooting becomes much easier which will more than make up for the additional time vetting requests that require a local admin to move forward.
When I worked on a help desk, our users didn’t have local administrator rights. What that meant for us was that when we got a call from a user saying something was broken, we could eliminate over 90% of the possible causes simply because the user wouldn’t have had the ability to execute them. Issues were fixed quicker and we could move onto the next task.
Your Bottom Line Will Thank You
Huge monetary losses incurred by viruses and ransomware can severely damage your business. The ransomware attack I talked about earlier? That cost the company over $800,000 in lost production – and it could have been avoided by removing the admin rights from someone who didn’t need them in the first place.
You might get some initial push back from your employees when removing admin rights. And to be fair, there may be a few legitimate employees who really need it. For those, consider extra training and a higher level of accountability before giving in and handing over the keys to the castle. In the end, your business will reap the benefits.
Subscribe to Our Mailing List
If you found the information in this post helpful, we'd love to have you join our mailing list. We promise we won't spam you, we only send out emails once a month or less.