The practice of using separate administrator accounts involves limiting certain privileges to a select group of users. These users are the system administrators, and they keep the system running properly.
Administrator privileges include application installation and the ability to work with files that are inaccessible to regular users. Here are a few reasons for restricting these privileges to only a few users:
1. Protecting Important System Files
Computers need system files in order to work properly. They are often part of the operating system. Sometimes, a user will attempt to remove a file, and will accidentally end up deleting one of these crucial files. By restricting privileges to a knowledgeable system administrator, you prevent inexperienced users from unwittingly removing a system file.
2. Avoiding the Accidental Installation of Malicious Software
Privilege separation prevents inexperienced users from accidentally downloading malware or a virus. This can occur when a person downloads a corrupted file that they believe to be safe. For example, a person could download what they think is an update for Adobe Reader, but is actually malicious software. By restricting download and installation privileges to a system administrator, you are making sure that nothing dangerous gets into your computers.
3. Establishing Software Consistency Across the System
Malware is not the only issue when it comes to widespread installation of software. If a user were to update their software independently, then there would no longer be any consistency across the network. Some employees would be using one version of a program, while others would be using a different version.
This could affect productivity or prevent employees from working with each other on the same project. By having a system administrator update all of the computers at the same time, you remove this problem.
4. Maintaining Privacy
Privacy can also be a problem with authorized users as well. Sometimes, a curious employee will read a file that is not connected to their work. Perhaps they saw a name on someone else’s desk, or heard about a case from another employee.
In September 2014, two employees at the Nebraska Medical Center were fired for the unauthorized access of an Ebola patient at the hospital. In Britain, a banker was fined hundreds of pounds after he confessed to reading files in his colleagues’ accounts.
These are just two out of the thousands of security breaches that have occurred over the last few years. According to the 2014 Data Breach Investigations Report, nearly 1 out of every 5 security incidents in the years 2004-2013 involved insider misuse.
Incidents like this have happened at both government offices and major companies. The use of separate administrator accounts ensures that only a few people have unrestricted access to all of the files on a network. By limiting administrator privileges, you are making sure that your confidential data remains confidential.
Limiting unrestricted network access to only a few users is an IT best practice. In addition to restriction of administrative privileges, there are a few other options. Local-only administrative privileges let a user view all of the folders on a computer, but do not give them the ability to affect network folders. Similarly, domain administrators can only reset passwords and make changes related to user rights. Power users, on the other hand, can make changes to many settings on a computer but cannot install software or alter the registry.
Using different levels of administrative access can protect your system while ensuring that your employees have what they need to get the job done. For more solutions to your IT challenges, contact us.