Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


August 2006

The Balancing Act Between Security and Usability

From the August 2006 Edition
of Windows IT Pro
Apostolos Fotakelis
Reader to Reader
InstantDoc #50342
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Security and ease of use don't go hand in hand. If your network's security is too tight, your network is more difficult to use and manage. If your network's security is too loose, your network is vulnerable to attacks.

A common situation in which you need to find balance between security and usability concerns whether you should give local administrative privileges to users who use the same computer every day. If you give users local administrative rights, any viruses, worms, spyware, or other malware that finds its way into their computers can access the network and do a lot of damage. However, if you deny users these rights, they need to contact an administrator whenever they need to install a new application, making the installation inconvenient for users and more work for the IT staff. In addition, some users might need local administrative privileges to perform their jobs. For example, programmers often need local administrative privileges so that they can test the programs they're building and read various registry keys, files, and performance counters.

In my company's network, I noticed that users don't get malware from the applications they intentionally install. Instead, they unintentionally pick up malware while browsing the Internet or opening mail. So, I recently started using a new approach with Windows XP and Windows 2000 Professional computers. I have users log on to their machines with their regular user accounts. When they need to install a program, I've trained them to use the RunAs tool to log on under a local administrative account I created for them. Similarly, programmers use the local administrative accounts when they need to test programs or access the registry, files, or performance counters. With this approach, whenever users need to perform a special task, such as installing applications or performing tests, they can do it themselves. If any malware happens to find its way into their computers, it can't spread. The only way malware can spread is if users intentionally install a malware program on other machines, which is highly unlikely in my environment. The risk of having malware is even reduced on users' local machines because the users aren't targets. (Gaining access to an administrative account is a lot more lucrative than gaining access to a regular user account.)

I lock down the local administrative accounts even further to prevent misuse. I give a different username and password to every account to prevent users from using the same account on all computers. I also use Local Security Policy settings to deny network access and deny the ability to log on as a service or batch job.

End of Article

Reader Comments
All SA's need to read this especially before applying Least User Principle in networks

prozulu March 22, 2007 (Article Rating: )

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
PsExec

This freeware utility lets you execute processes on a remote system and redirect output to the local system. ...

Microsoft Delivers Service Pack 2 Beta 2 for Vista, Server 2008

Microsoft on Tuesday announced the availability of the Beta 2 version of Service Pack 2 (SP2) for Windows Vista and Windows Server 2008. Since both operating systems were developed from the same code base, they have a common servicing structure and thus ...

Windows Live Wave 3 Services Launch Begins

Late Tuesday, Microsoft began rolling out the services portion of its Windows Live Wave 3 launch. The company is shipping an unprecedented number of new and improved services that build off the success of Hotmail and Windows Live Messenger and attempt ...
Security Whitepapers The Impact of Messaging and Web Threats

Why SaaS is the Right Solution for Log Management

Protecting (You and) Your Data with Exchange Server 2007
Related Events SQL Server 2008 – Can You Wait? | Philadelphia

SQL Server 2008 – Can You Wait? | Atlanta

SQL Server 2008 – Can You Wait? | Chicago

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Register for Orion NPM v9 - Evaluation
Affordable, easy-to-use network performance management with SolarWinds Orion – Free Trial!

Want a Hardware-Independent Image?
Binary Research, the Ghost people, shows you how to clone with 1!

Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

Order Your Fundamentals CD Today!
Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.

Implement a Successful Archiving Solution
View this web seminar to learn the best practices for creating an email archive that is secure, compliant, and searchable.
Protect Your Company’s Digital Assets
Do you know the risks of sending important files over email or FTP? Read this white paper to learn what you can do to safeguard your company’s data.

Prepare Yourself for Exchange Catastrophe
Read this white paper to learn how you can keep Exchange server healthy, as well as predict and respond to server failure.

Boost Customer Confidence and Satisfaction
Read this eBook to learn how faxing can ease communication with less computer-savvy customers while reducing your security, compliance and support woes.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing