Local PC Administrator Access – A Risk Analysis

adminKnowledge Base

When assigning permissions to users throughout any organization, best practice is to always assign only the permissions that are absolutely necessary.  In accordance with this principle, we always recommend that users use an account on their PC that does not have administrator permissions unless there is a strong business justification.

When evaluating our call history, the vast majority of virus infections, computer slowness, and operating system issues are a direct result of a user having administrator access. If your business decides to allow users administrator access to their machines as a policy, it will cause your total technology costs to rise on average (e.g. fixing computer issues, employee downtime, data loss from virus infections). It is important to ensure that the increased potential cost is justified by a necessary and legitimate business need.

Administrator accounts on a computer allow the user to install software, make any change to the system settings, and override local folder permissions. Anytime a user has or has access to an administrator account any of the below is possible:

  • Unauthorized software can be installed on the computer leading to non-work activities and computer slowdowns.
  • Users can intentionally or unintentionally execute a malicious program leading to infections that could potentially span many PCs. These are often undetectable by anti-virus programs (frequently because the user specifically allows them to execute!).
  • If multiple users use a single PC, the administrator account can be used to access data in other user profiles.
  • Operating system settings can be changed intentionally or unintentionally causing potentially unfavorable consequences.

Below are three operating scenarios for a mythical user “John Doe”:

User JDoe is assigned limited (“user”) permissions.

Pros Cons
  • Substantially decreased likelihood of malware infection.
  • John Doe cannot access any files outside of his profile without explicit permissions granted by an administrator.
  • Critical system settings cannot be modified without intervention of an administrator.
  • Only company approved software is able to be installed on the PC, reducing distractions and keeping PC running smoothly.
  • Some software (usually old or poorly designed) will not run without an administrator account.
  • User will need to contact a Windows Engineer when they change settings or install programs. This usually does not happen frequently, but it can slow down some work in the short term (in exchange for long term system stability).
  • Some users may take offense to not having unrestricted access (especially if they’ve had it in the past).

User JDoe is assigned a limited user account for day to day work, but also given access to a separate local administrator account that they can use when needed.

Pros Cons
  • Some forms of malware will not be able to install and run to the computer.
  • Provides the user with a “stop sign” when administrator credentials are requested, reminding that an action is being taken that will modify the system.
  • Users can install software at their convenience (which may be necessary if the user is frequently mobile or does certain job functions).
  • Some forms of malware may request administrator permission to install, which the user can bypass (intentionally or unintentionally).
  • User has unrestricted access to all files stored on the local machine (including those for other users that use the same PC).
  • Software installation and setting modifications are unlikely to be reviewed by a qualified Engineer prior to their introduction.

User JDoe is assigned an ‘administrator’ account which is used on a daily basis.

Pros Cons
  • User has complete flexibility to install software and make other system modifications at their leisure.
  • Unauthorized software may be installed with no auditing.
  • Malware can potentially install/execute on the computer with limited user notification.
  • User has unrestricted access to all files stored on the machine regardless of their set permissions.