Granting Administrator Privileges to users

Granting Administrator Privileges

Granting administrator privileges to users is one thing that I often see, that is done much more than it should be. The reason given is this simplifies those occasions when software needs to be installed or updated. However, in general, this is a bad practice.

The simplification of installing legitimate software will be exploited if you are ever the victim of malware or viruses. Since the user that the infection uses already has administrator privileges, the malware does not need to find anything to exploit for it to have access to your entire system. If the malware already has inherited the privilege from the user login and can wreak whatever havoc is in its payload.

On the other hand, if the user is given basic user privileges, and the malware is unable to find any way to exploit the system to increase its privileges, then the damage is contained to what the captured user can modify. While that is still upsetting, having to restore some documents, and change user settings is more desirable than having the entire computer system corrupted and compromised. Not to mention, the potential effect on other computers on your network, if administrator-level privileges can be leveraged against them.

With properly set permissions, users can do everything that they need, without elevated privileges. It can take some extra time to setup the appropriate permissions, but not nearly the time that it takes to recover from a malware attack that could have been limited in scope by a simple restriction of administrator level privileges.


Leave a Reply