Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Removing Administrator Rights for Windows Users is not “Lockdown”

by Neil MacDonald  |  May 4, 2011  |  Comments Off

In discussions with clients, I still run into some confusion on whether or not removal of administrator rights constitutes “lockdown”. Perhaps this was the case a few years ago with older Windows applications and Windows XP, but this is not the case today with Windows 7.  For example:

  • Standard users can install and execute well-written software on XP and Windows 7. For example Google’s Chrome and Firefox install just fine when users don’t have administrator rights.
  • With Windows 7, standard users can install printer drivers.
  • With Windows 7 and AXIS (Microsoft’s ActiveX Installer Service), standard users can install ActiveX controls that conform to policy within Internet Explorer.
  • With Windows 7, standard users can now perform most of the standard day-to-day Windows functions that they couldn’t do on Windows XP including such things as changing time zones, changing monitor resolution, looking at (but not changing) firewall configuration, renewing a DHCP address and so on.

Net/Net – removing administrator rights from Windows users is not “lockdown”. This leads to two pieces of advice:

1) If you are removing administrator rights during the migration to Windows 7, don’t call this “lockdown”. For some reason, the term “lockdown” rubs users the wrong way. ;-)    As an alternative, how about telling users they are receiving a “security-enhanced desktop”? Seriously, they aren’t administrators on their iPads or iPhones and you don’t hear too many complaints. We can achieve a similar outcome on Windows. For some situations, a third party tool for privilege management may be needed, but it can be done.

2) If you truly want a “locked down” environment where users cannot extend their workspace, you’ll need additional policies and controls to implement this such as Application Control / Whitelisiting technology.

I discuss how to successfully remove administrator rights from Windows users in detail in this research note for clients complete with a list of the top 14 or 15 best practices for this initiative.

Comments Off

Category: Beyond Anti-Virus Endpoint Protection Platform Microsoft Security Windows 7     Tags: , , , , , , ,