There are many reasons why it’s a good idea to run without admin rights on your computers.
Since I talk and write too much, I narrowed it down to my top 5 reasons why it’s important to do so.
When covering IT security, there are proactive and reactive measures. Both are needed, but proactive measures are much more important. This includes things like permissions and firewalls. These protection layers keep the computers clean and efficient. Consider Proactive measures like doormen at a nightclub.
Reactive measures like SentinelOne are kind of like bouncers at the nightclub – They keep things out and enforce club policy inside. Doormen and bouncers work together.
This note covers proactive measures – removal of admin rights (and the effective management of user rights using privilege management technology) to secure your business PCs – and the 5 big reasons why you should consider a zero admin rights policy.
1) Keep malware off your computer
As your computer can’t differentiate between good and bad software, the only way to prevent the installation of malware is to prevent installations. So in this case, your standard everyday user shouldn’t be able to install software that affects the whole computer.
2) Keep the computer running smoothly
A limited user cannot write files or entries in places where admins can. Ultimately this means that by removing admin rights your PCs are cleaner and more stable, with a longer lifespan.
3) Keep the protection enforced
An admin user can turn off your protective measures. They can disable your firewall, SentinelOne, encryption, Effectively, they can send the doormen and the bouncer’s home, leaving the club without any protection. And if the admin is running malware, the malware can do the same. Malware could never affect the computer in the first place without admin rights.
4) Keep computers compliant
Microsoft’s own Security Policy states that a user in the local admin group can manage the computer 100%. There is no way of controlling admins with group policy (like Sharepoint). They can do what they want. And that might not be what you want. Admins can deny the system from reading policies – and if you deny the rules, you don’t have to obey them.
5) Keep your network clean
Your network is only as secure as its weakest link. One computer on the domain running admin rights is a hole that compromises the entire network.
