IT Employment

General discussion


Defending Principle of least privilege

By Namco ·

I am implementing the principle of least privilege in my organisation by making sure users active directory accounts are a member of the users group on their PCs.

I have a group of users that work out of hours, they have a nightshift plus weekend shifts. Traditionally they have had admin privilege so they have a better change of resolving any issues themselves.

Do I enforce the policy for these users or make a compromise? If I make a compromise (e.g. let them know the local administrator password for the PCs) then I'd like to know when the elevated permissions are being used, possibly by being alerted to when the local admin account is used, or being alerted whenever software is installed, does anyone know of software to do this?



This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

That and much more...

by RU_Trustified In reply to Defending Principle of le ...

Trustifier does this and much more...

For an information flyer, feel free to email me at:

trustifier at yahoo dot ca.

Collapse -

Off-Hours Support

by Wayne M. In reply to Defending Principle of le ...

The users working off-hours still need support. The choices are:

1) Hire a full-time off-hours administrator
2) Give regular administrators a pager and an oncall schedule
3) Give the users privileges and some training to handle their own support
4) Provide no off-hours support but draft a policy for off-hours workers to follow if the system is inoperable.

It sounds like this company has been running in mode 3. The decision to be made is the whether the value of the new security policy is worth the cost of moving to option 1, 2, or 4.

Depending upon the number of off-hours personnel, I would recommend option 1 or 2, but I have no inside knowledge of the company in question.

Collapse -


by honeycutt In reply to Off-Hours Support

The issue of who has privileges and who doesn't is business dependent. Some organizations - banks, hospitals, etc. - have little leeway in the decision. Other organizations educate their users and give them full access.

Keep in mind the lack of privilege almost always makes the end user's work life more difficult. It is also a major morale issue when some people have full access to their computers and other employees don't.

In any case, I suggest giving upper management the pros and cons of the situation and let them earn their money.

Mike Honeycutt

Collapse -

The User is King

by mickeymcgee In reply to Defending Principle of le ...

The user owns the desktop. (Should!) The users run the business that makes the money that buys the equipment and hires the people to support their systems. Support means enable, not disable!

Don't ignore the business need.
(What would you think if the janitor locked up the restrooms over the weekend to kepp them clean?)

Collapse -

"User is King" is too extreme

by fractalzoom In reply to The User is King

The notion of the user as king goes too far in that direction. We have all seen that if left to their own devices, "kingly" users are prone to load unauthorized software, alter system security settings and in general do things which place their computers - and by extension the entire enterprise - in jeopardy.

I fully agree that the business need must indeed be acknowledged, and that excessive security makes computers counter-productive as a tool of business. But to give carte blanche to users who may not understand the broader implications of their actions is irresponsible and not good IT governance. It is the responsibility of IT security policy makers to find the appropriate balance between user permissions and system protection. It's a more complex and nuanced path than simply locking it all down or making it all wide open, but that's how IT managers earn their wages.

To draw a parallel: Too much police is fascism, but that doesn't mean we eliminate law enforcement altogether, which is what mickeymcgee's statements seem to imply.

Collapse -

Risk taken by one shared by all

by millersp1 In reply to "User is King" is too ext ...

While I agree the balance between security and end-user permissions is a precarious one, I feel compelled to share these thoughts for you (all) to ponder. One "life-enhancing" spyware app installed on a network can internally gather enough vital business information and export it to its maker's website in less than a week. While I was in the military, my commanding officer demanded he have admin priviledges so he can "access the cool little "calendar" in the systray". Calendar indeed.

In one of the few security audits I have had the privilege of participating in, the lead auditor stated, "It is impossible to secure the network with users having admin privileges". I, for one agree. Many threats can be mitigated by giving even admins the least amount of privileges they need to do their job. AD and roles-based AD consoles (think Quest Active Roles Server) are very granular, and admittedly expensive, solutions to some of these issues.

Related Discussions

Related Forums