Local Admin Rights

We have the beginnings of a Windows 7 deployment project. As part of that I’ve been asked to develop a presentation for the director regarding local admin rights.
At our company it seems local admin rights is sacrosanct. On the other hand, I was once told Universities couldn’t have firewalls because of academic freedom. Now I understand that is no longer the case.
We last tried limiting user rights under Windows 2000. That involved a limited group of users, mostly secretaries and the corporate division. It fell apart quickly as the helpdesk was able to give users admin rights to get around problematic applications rather than taking the time to fix the application.
Applications and operating system support has improved for limited rights accounts has changed significantly since Windows 2000. Nevertheless it remains a political and technical hot potato.
The Federal Desktop Core Configuration (FDCC) requires the use of limited rights. This process is more about reminding senior management of the problems with users doing whatever they want, and getting them to sign a waiver for the FDCC requirement.
Right now I have what I think is mission impossible.
1. Demonstrate the problems caused by users being able to do whatever they want. Unfortunately our helpdesk is allowed to work without recording tickets accurately. Also virus incidents are not fully investigated so it is impossible to say x virus incidents occurred because the user was an administrator or Y systems were reloaded because the user installed a bunch of crap.
2. Show that our customer (the Federal government) is not giving users local admin rights. I can say what is required. But I really have no connection into the CSO office at each customer to determine their FDCC compliance.
3. Show that companies like us are limiting local user rights. Again, I’m not sure how I can do this. I dont see a Gartner report on this.
I have a month to put this together so we’ll see what I can come up with.


  1. Getting companies to move past the “admin user” crutch can be difficult. I think your best angle may be focusing on how much security and technology has changed in the last nine years since Windows 2000 was released. I started to write a list of points about limited user accounts here, but instead decided to post them on my blog. You can see that post at the following link: http://riosec.com/limited-user-account-benefits.
    I hope it works out for you. Removing administrative access may be the single biggest security win you could possibly do.

  2. good thoughts and a nice blog.
    I’d forgotten about the study showing 92% of criticial Windows vulnerabilities (in 2008) were limited or eliminated by removing local admin rights.
    I always seem to only remember examples that work better for the other side. The bad guys are starting to create malware designed for limited rights users. if nothing else Google Chrome will show the way. The study reminds me that its the exception that proves the rule.

  3. How is UAC entering your debate? I have used windows 7 with UAC enabled since RC1 and have had no issues clicking on the occasional popup. Of course, I have not tried the sort of operation that led me to disable Vista UAC — I was unable to restore files with NetBackup as the NB daemon was not able to ask for permission to write the files.

  4. I have a feeling that will end up being the middle ground. users have admin rights. UAC will then prompt the user to click OK if they want to burn their house to the ground.
    I prefer to run vista as a regular user and use UAC to prompt me for an account with admin rights when I install things. Managing admin accounts for users isn’t going to happen. So its either limited rights, or have UAC act as training wheels for the user.
    Since we skipped vista I dont think I”m at my best discussing uac right now.

Comments are closed.