Should you give Local Admin Rights to the user that will login to a computer? This is one of the major decisions that must be made when configuring a computer. As with all security decisions it comes down to a trade-off between three issues: Increased Security, Ease of Use, and Cost.
Local Admin Rights:
Giving a user Local Admin Rights means giving them full control over the local computer. (Please note that this DOES NOT give them any extra rights to anything on the network). A user with Local Admin Rights can do the following:
- Add and Remove Software
- Add and Remove Printers
- Change computer settings like network configuration, power settings, etc.
Easy Computer Management:
Giving Local Admin Rights is common practice because it makes managing the computer much easier. Users can perform tasks without needing an admin password. If the user does not have Local Admin Rights they will have to either know the admin password (very bad idea!) or have someone who does know it come over and provide it every time they need to install software or add a printer. This can mean significantly more work for your network administrator and/or lost productivity while waiting for your network administrator to come provide the password.
Another common reason for giving Local Admin Rights is because it may be recommended or required by some critical software used by your company. Most good software vendors have gotten away from this practice or they can provide a list of files and folders that the user needs access to so you can grant it for just what is needed.
Viruses and Malware:
Removing Local Admin Rights can reduce your risk of getting a virus. The most common way computers get a virus is because the user installs it. This is usually by accident: The user goes to an infected website or clicks on attachment in an email and the virus installs itself on the computer. As with legitimate software apps, many viruses need Local Admin Rights in order to install. If the user doesn’t have the Admin Rights then the virus can’t install itself. Be aware that this does not stop all viruses! Many viruses do not need Local Admin Rights to install.
The best protection from viruses is through user education and awareness. If your users are smart and careful about where they browse and what they click on, you will rarely get a virus.
Employees messing up Computers:
Some people just can’t stop messing with their computers. Users with Local Admin Rights can easily make changes to the computer’s configuration that will cause it to stop working. Removing Local Admin Rights will greatly reduce a user’s ability to mess up the computer.
Local Admin Rights: Yes or No?
This brings us back to our original question: Should you give Local Admin Rights to the user that will login to a computer? Unfortunately there is not an easy answer. We know the pros and cons:
- Easy computer management
- Software requirements
- Increased risk of viruses
- Increased risk of user messing up computers
As I said at the beginning of this article, all security questions come down to a trade-off between three issues: Increased Security, Ease of Use, and Cost. Removing Local Admin rights will definitely increase security but it will also decrease ease of use by making it harder to manage your computers. More time spent managing your computers will definitely increase your costs by some amount. Each business will balance these things differently.
No matter which decision you make you should be aware of the implications for your business. Willits Technologies can help you understand these implications so you can make the right decision for your needs. Contact use at firstname.lastname@example.org or 281-333-2505 to start the conversation.