When it comes to user rights, less is more, according to officials at BeyondTrust.
With that in mind, the company has launched a piece of freeware to help organizations minimize user rights as part of an overall enterprise security strategy. Using BeyondTrust Application Rights Auditor, users can identify software that requires elevated privileges.
Once those applications are identified, enterprises can develop plans to remove users' administrative rights without any application downtime and affecting business productivity. According to BeyondTrust officials, there were previously only two ways to determine what applications required users have administrative rights - to take the rights away from and see what applications broke, or examine every installed application one at a time.
"Application Rights Auditor is able to determine which applications require users to have administrative rights based on both static and dynamic information it collects," said Chief Technology Officer Marco Peretti. "On computers with the Application Rights Auditor desktop component, all installed applications will be compared to a set of known applications that require users to have administrative rights. Application Rights Auditor will also profile application executions on these computers to find additional applications that require users to have administrative rights."
Centralized reports will then allow an enterprise to view all of the findings, he said.
Some experts contend that while removing administrative rights may be unpopular in many organizations, it can have the side effect of protecting organizations from malware that takes advantage of elevated privileges on compromised machines. Additionally, administrative rights also allow users to circumvent security policies by installing unapproved applications or making unauthorized modifications to a standard desktop configuration.
In February, the U.S. government set a deadline requiring that administrative rights be removed from Windows desktops at all government agencies as part of the Federal Desktop Core Configuration mandate, Peretti said.
"End users with administrator rights have long been the Achilles heel of desktop security," he said. "Allowing employees to operate with more rights than they need for their jobs is a security risk because it makes it easier for malicious software to install and increases the damage that malware can do once installed."
BeyondTrust Application Rights Auditor is available for free download and supports Windows 2000, XP and Vista, Windows Server 2003 and 2008, and 64-bit Windows platforms.