A surprising number of businesses in Framingham, Natick, Sudbury, and the rest of the country have employee computers set up with the user having administrative access.
They do this for a number of reasons, including:
- It’s always been done that way
- They don’t want to lock employees out of needed system resources
- They don’t understand the risk this poses to IT security
Admin users pose serious risks in several ways. This can include both user errors and insider attacks perpetrated by hackers that gain access to user credentials.
As many as 95% of cybersecurity breaches are caused one way or another by human error.
Managed IT services can help protect devices in a number of ways, through patch management, backups, ongoing monitoring, and DNS filtering. However, it’s also important to employ proper access control protections, one of which is not granting users admin access to a computer.
Before we get into the why of what can go wrong if you allow users to have administrator privileges on their device, let’s go over what this restriction means.
Many business owners are afraid a user will be locked out of important things they’ll need on their system if they’re not an admin, but in truth, limits are fewer than most realize. Many users won’t even notice a change in their day-to-day productivity.
When someone is not a system admin they can’t:
- Add or remove an application
- Copy, change, or delete files in protected areas of the hard drive
- Change critical operating system settings (personalization, etc.)
When someone needs to install a program, this can easily be accommodated by including an administrator account on the computer but only using it for admin tasks, not as a regular user. Then, an authorized IT pro can use that account to perform an administrative task, and log back out when finished.
What Can Go Wrong If Users Have Admin Access to Their Device?
Any Setting Could Be Changed for the Worse
An administrator can adjust security settings, turn off device antivirus, and much more. They have complete control over the settings of a device and they can change them for the worse and to settings that leave a device more vulnerable to attacks.
This could be done accidentally, because a user doesn’t understand how their configuration change will hurt security, or because a hacker gains access to a device remotely and logs in as that user.
Any Program Can Be Installed or Removed
Admin-level users can install and remove programs. This means a user could think they’re installing a helpful productivity tool they found online that is actually full of adware or spyware.
Users could also accidentally remove a vital program that the company requires on all computers for compliance, tracking, or another need.
You can greatly improve device stability and prevent problems like shadow IT by removing a user’s ability to add or remove programs from their system.
Can Execute Code from Malware
A common way that viruses, ransomware, and other forms of malware infect a system is because a user opens a malicious file attachment and has admin permissions on their user account.
This gives the code the permission it needs to execute and infect critical system files that a non-administrator account would not have access to edit.
Without having those permissions, a malicious script that was trying to change PowerShell or other operating system files would not be able to run.
Might Accidentally Delete Vital System Files
Users are not typically IT professionals, thus it’s easy for them to get into trouble when trying to “fix things” themselves on their device.
If a user has administrative privileges on a PC, they could delete vital system files, essentially breaking parts of the operating system. This could mean hours of lost productivity while you’re trying to track down the problem and restore the device’s components.
Employees Can Adopt Unauthorized Apps
When employees use software that’s not approved by their company, this is called shadow IT. This can be a big security risk and it’s one that’s been growing because of the increased number of remote workers.
83% of surveyed IT professionals report that employees at their company have stored data in unapproved applications.
By removing the ability to add and remove applications on their PC, you can combat a significant portion of shadow IT use, helping to improve overall cybersecurity.
Improve Security with a Managed Business Support Plan
Pro Tech Guy offers flexible managed business support plans that include device protection and monitoring, plus employee assistance when they need it.
Through our remote support, we can take care of an employee’s admin needs quickly, allowing your team to stay productive and secure at the same time.
Contact us today to learn more and sign up. Call 508-364-8189 or reach us online.