Why So Shy About Locking Down Systems?

Opinion: Companies should make sure that they're granting their users the smallest set of system administration privileges required to get their work done.

The symptoms and sources of spyware are legion, but all spyware infestations spring from the same root.

Whether these unwanted, annoying, sometimes harmful applications make their way onto your organizations machines via a software vulnerability or by tagging along with apparently innocuous applications, the problem boils down to one of unauthorized software installation.

Before spending time and money on solutions that follow users around removing harmful applications theyve unwittingly installed, companies should make sure that theyre granting their users the smallest set of system administration privileges required to get their work done. Far too many users, in both home and corporate settings, run their systems with administrative rights—accounts that grant users (and the processes, both harmful and innocent, that they launch) absolute power over the machines theyre using.

/zimages/1/28571.gifClick here to read Labs reviews of three anti-spyware products.

Ideally, organizations should set up employees with only limited user accounts, thereby delegating all software installation rights to the IT department. In this way, administrators can verify applications as spyware-free and test them for compatibility with corporate system images.

Of course, without processes in place to streamline the request for and verification and installation of new applications, system lockdown policies can create as many problems as they solve.

Microsoft Corp. has also done an admittedly poor job of facilitating least-privilege policies in Windows, opting instead for the convenience of total control. The first user created in new Windows installations, for instance, defaults to administrative rights, and theres a too-long list of applications that senselessly require administrative rights to function.

Microsoft is taking steps to make limited user accounts work more smoothly in the forthcoming "Longhorn." Along similar lines, Microsoft has also announced that Internet Explorer 7 in Longhorn will run with reduced privileges, which will limit the amount of damage that browser vulnerabilities can cause to the system.

If a vital application in your enterprise needlessly requires administrative privileges to run, let your vendor know that this is unacceptable and requires immediate attention.

If users in your organization require administrative rights or if your IT infrastructure isnt yet capable of managing software centrally, configure separate administrative and limited accounts, and instruct your users to run in administrative mode as little as possible. The fast user-switching feature of Windows XP is a good way to keep these accounts separate while maintaining convenience.

In addition, check out Microsoft Senior Consultant Aaron Margosis excellent set of blog postings on the whys and hows of running Windows with limited user rights at blogs.msdn.com/aaron_margosis/archive/2005/04/18/

/zimages/1/28571.gifReaders Respond: Why So Shy About Locking Down Systems? Click here to read more.

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.