Limit Access, Limit Problems

Carl Weinschenk

Sometimes, the simplest steps can make all the difference. For instance, eWEEK discusses a rudimentary step -- using a least-privilege approach to user accounts -- that makes a big difference in securing an enterprise.


IT administrators, who sometimes need expansive access rights, have administrative privilege turned on all the time. This is akin to a police officer using his or her patrol cars siren for hours on end. In other cases, "normal" PC users are given administrative privileges -- the ability to do anything -- because it makes things easier for both that user and IT.


In short, such scenarios let too many people do too many things. The story says Microsoft understands this and included a feature called User Account Control in Windows Vista. Companies such as Symark Software and BeyondTrust also address the issue.


Though some companies clearly get it, there still are significant challenges. A survey of 700 IT professionals by The Ponemon Institute and Aveksa found that 44 percent think users have unnecessary access rights. Sixty-nine percent said policies in their organizations are poorly enforced or nonexistent. The piece says 30 percent make sure policies are followed.


Organizations may be starting to reign people in. Windows IT Pro looks at the Federal desktop core configuration (FDCC), a family of steps aimed at protecting Windows-based PCs used by federal employees, which includes rules on user privileges. The piece says federal agencies earlier this week had to submit a list to the Office of Management and Budget detailing which PCs run Vista and XP, whether they are FDCC-compliant and, if not, when they would become so. The story describes the advantages for organizations that employ FDCC and FDCC-like standards.


User account control (UAC) seems to be getting a bit of play, as evidenced by its inclusion in a list of top steps for home PC users to employ to keep their machines secure. The post at Copyright Law and Copyright Information, written by the CEO of BeyondTrust, points out that most malware requires administrative rights to propagate. The takeaway clearly is that UAC is annoying, but worth it.


IT administrators generally are not in love with UAC. This Realtime Community piece describes what it is, why it is unpopular and why IT folks should give it a break. The goal of the function is to get IT folks to run as normal users whenever possible. Thus, instead of giving IT advanced rights all the time -- when they are surfing the Web as well as when they are resetting routers -- UAC assigns them limited access rights by default. When they try to do something that involves advanced rights, the user is asked if this is OK and, if so -- and if the individual's "token" says he or she has such rights -- the request is granted. The annoyance is the constant questions. The writer says that this is a good thing, however, because it continually reminds users that they must be careful and it helps avoid mistakes.


Least-privileged access also pops up in efforts to assess and limit data risk. In this helpful story at SecurityPark, the big takeaway is that not knowing about risk is a good way to lose data and get into a lot of trouble, both legally and with clients. Within that context, the writer mentions some basic steps to minimize risk. Among them is providing vendors with least-privilege access, a step that will at minimum reduce the number of folks who might cause a problem.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.