In discussions with clients, I still run into some confusion on whether or not removal of administrator rights constitutes “lockdown”. Perhaps this was the case a few years ago with older Windows applications and Windows XP, but this is not the case today with Windows 7. For example:
- Standard users can install and execute well-written software on XP and Windows 7. For example Google’s Chrome and Firefox install just fine when users don’t have administrator rights.
- With Windows 7, standard users can install printer drivers.
- With Windows 7 and AXIS (Microsoft’s ActiveX Installer Service), standard users can install ActiveX controls that conform to policy within Internet Explorer.
- With Windows 7, standard users can now perform most of the standard day-to-day Windows functions that they couldn’t do on Windows XP including such things as changing time zones, changing monitor resolution, looking at (but not changing) firewall configuration, renewing a DHCP address and so on.
Net/Net – removing administrator rights from Windows users is not “lockdown”. This leads to two pieces of advice:
1) If you are removing administrator rights during the migration to Windows 7, don’t call this “lockdown”. For some reason, the term “lockdown” rubs users the wrong way. As an alternative, how about telling users they are receiving a “security-enhanced desktop”? Seriously, they aren’t administrators on their iPads or iPhones and you don’t hear too many complaints. We can achieve a similar outcome on Windows. For some situations, a third party tool for privilege management may be needed, but it can be done.
2) If you truly want a “locked down” environment where users cannot extend their workspace, you’ll need additional policies and controls to implement this such as Application Control / Whitelisiting technology.
I discuss how to successfully remove administrator rights from Windows users in detail in this research note for clients complete with a list of the top 14 or 15 best practices for this initiative.
Category: Beyond Anti-Virus Endpoint Protection Platform Microsoft Security Windows 7 Tags: Apple, Beyond Anti-Virus, Endpoint Protection Platform, Lockdown, Microsoft Security, Security-Summit-NA, Whitelisting, Windows