by Neil MacDonald | May 4, 2011 | Comments Off
In discussions with clients, I still run into some confusion on whether or not removal of administrator rights constitutes “lockdown”. Perhaps this was the case a few years ago with older Windows applications and Windows XP, but this is not the case today with Windows 7. For example:
- Standard users can install and execute well-written software on XP and Windows 7. For example Google’s Chrome and Firefox install just fine when users don’t have administrator rights.
- With Windows 7, standard users can install printer drivers.
- With Windows 7 and AXIS (Microsoft’s ActiveX Installer Service), standard users can install ActiveX controls that conform to policy within Internet Explorer.
- With Windows 7, standard users can now perform most of the standard day-to-day Windows functions that they couldn’t do on Windows XP including such things as changing time zones, changing monitor resolution, looking at (but not changing) firewall configuration, renewing a DHCP address and so on.
Net/Net – removing administrator rights from Windows users is not “lockdown”. This leads to two pieces of advice:
1) If you are removing administrator rights during the migration to Windows 7, don’t call this “lockdown”. For some reason, the term “lockdown” rubs users the wrong way. As an alternative, how about telling users they are receiving a “security-enhanced desktop”? Seriously, they aren’t administrators on their iPads or iPhones and you don’t hear too many complaints. We can achieve a similar outcome on Windows. For some situations, a third party tool for privilege management may be needed, but it can be done.
2) If you truly want a “locked down” environment where users cannot extend their workspace, you’ll need additional policies and controls to implement this such as Application Control / Whitelisiting technology.
I discuss how to successfully remove administrator rights from Windows users in detail in this research note for clients complete with a list of the top 14 or 15 best practices for this initiative.
Category: beyond-anti-virus endpoint-protection-platform microsoft-security windows-7
Tags: apple beyond-anti-virus endpoint-protection-platform lockdown microsoft-security security-summit-na whitelisting windows
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.