One of the top recommendations I made to increase your security “bang for the buck” in 2011 was to increase the percentage of users that run without administrative access.
For clients, we’ve recently published a research note that details the best practices for removing administrator rights from Windows users.
One of the best practices is to use the migration to Windows 7 as a catalyst to remove administrator rights. Windows 7 helps the removal of administrator rights with a set of technologies under the umbrella brand of “User Account Control”; however, UAC has it own set of pros and cons.
Many clients have reached the conclusion that a third party privilege management tool will be required to help with the removal of administrator rights – at least for some percentage of their users.
The good news is that there are multiple competing vendors that provide this capability:
- Altiris (Symantec) – as a feature within its application control offering, sold separately on request
- AppSense – as a feature within its application manager offering but not sold separately
- Windows “Run As” (requires administrator credentials)
Note that ScriptLogic has moved beyond its free, community-supported offering to an enterprise version that includes support and more features.
If you are a client, give me a call if you want to talk through these solutions and whether or not they are required with your Windows 7 deployment.