How Do I Grant Least Privilege? Or, Help! I Think Someone Needs Admin Rights!

You may realize that giving out admin rights (i.e. adding someone to the Administrators group) is a bad thing. But your boss and/or favorite employee might be demanding that they need them in order to do their job. You feel stuck. What do you do?

First, you need to learn something: the Administrators group isn’t magic. The only reason it can do all the things it can do is because when Windows gets installed, it creates a group called Administrators and grants it a lot of permissions on files, folders, registry, and Local Security Policy entries.

So basically, if you removed all of Administrators’ file, folder, registry, and Security Policy permissions and gave them to a new group called SuperCoolPeople, suddenly Administrators would be totally powerless on that machine and SuperCoolPeople would be the new admins.

Since NOBODY needs ALL the privileges granted to the Administrators group by default during the normal course of business, that means that you can selectively give people permissions they need without giving them the permissions they don’t need. In other words, Least Privilege.

So if you do some research and bite the bullet, you might create a group called LegacySoftwareUsers and grant it permissions on the Program Files folder, maybe even the root of the C drive, certain parts of the registry (the registry has permissions in it, just like folders!), and even normally-administrative security policies like changing the system time and installing software. But you might decide not to give that group permissions like disjoining the computer from a domain, modifying users and groups, resetting passwords, installing device drivers, etc.

The fact that most admins don’t seem to know most of this is a profoundly depressing rebuke of our industry. When Linux admins chuckle at the Windows admins, I imagine this is one of the reasons why. You are an administrator, an IT professional; your systems are under your complete control. Don’t wait for Microsoft to bash you upside the head (again) with something like the UAC before waking up and doing the hard work of figuring out how to make your systems both secure and usable for your userbase.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s