5 Reasons NOT To Give All Your Users Admin Privileges

Would you give your teenage kid with a newly minted drivers license your old honda to drive or your 2-door coupe that you ride on the weekends?

girl with paint of body

Would you give your teenage kid with a newly minted drivers license your old honda to drive or your 2-door coupe that you ride on the weekends?

Would you let your 7 year old use your work computer while logged into slack and email, or tell them to use the family computer in the kitchen?

Allowing your employees use corporate devices while logged in as Administrator, without any other controls, is quite similar. It’s like saying…

Hey, here’s a powerful shiny new computer with access to corporate data and secrets… oh and please don’t use it for personal browsing, gaming, or illegal movies. Use your old computer for that.

So here are 5 reasons why regular users shouldn’t have admin privileges:

1. You’re company hasn’t invested in Anti-Malware software

Yes, this is waay more common than you think. You’re a young startup and focused on building… oh and you don’t have any dedicated IT staff, so you just haven’t gotten around to it. Or maybe it’s a cost issue. Granted, not giving admin might actually place a larger IT burden on your company.

2. Office documents, macros, etc

Office documents are quite powerful and can execute a lot of stuff. Oh, think you’re impervious because you’re a gmail shop and don’t have MS Word? Have a lawyer or worked with one? They only use MS Word.

3. The Cloud

So much software is in the cloud these days, that aside from either image editing, office software, or pm software… everything else is cloud based and runs in the browser.

white clouds and blue sky during daytime

4. You’re Not An Engineer Or Graphic Designer

Sales and marketing for the most part have all the apps they need and really don’t need much else after that. This includes executives.

woman in green shirt sitting in front of computer

5. You Want To Avoid Malware (Not Ransomware)

Kinda like #1, but not having admin significantly (not completely) reduces your exposure to malware.

Unfortunately though, a lot of ransomware does NOT need to admin privileges to run.

TLDR - A Perfect World Of No Admin Privileges

Here is a bullet list of a perfect world with relation to admin privileges to give you a sense of the outcome of everything I’m trying to illustrate for you:

  • Every machine’s administrator user has a unique password

  • Users have an appstore to select from a list of apps to install from

  • Most users, if not all, have standard user access

  • Privileged users, such as engineers and administrators, have received special training on the safe use of their machine

  • Super Admins have separate credentials for everyday access

For this you will need MDM software, Anti-Malware, and good playbook for a smooth roll out. All CSL clients get access to this playbook and others as well, including coaching along the way.

Want To Give Your Users Admin Still?

Let’s be practical… you’re a small shop and can’t do all this… the next best thing to do is create two users at the time of provisioning. One is their regular user for day-day activities and the other is the special Adming “break-glass” user (with unique password) for when they really need to install something. The key here though is that you give them the “With great power” speech and tell them to be very careful in using that user. I helped my dad do this with his computer a few years ago, and it’s worked out.

Tip: If your users are admins already and want to downgrade and not lose their data, just have them create another local account with Admin privs, then login with that account and change the role of their users to a standard user.

Thank you for reading Last Week As A vCISO. Share it with others if you found it helpful.

ps. I think in the future, I might write an article and call it 5 Reasons To Give Users Admin 😉

Join the conversation

or to participate.