Frequently Asked Questions
The Danger of Local Windows Administrator Rights
One of the questions that has come up, and it always does, is the question – how bad is it if users have local administrator rights?
Obviously the easiest answer is BAD, REALLY BAD! It’s like you buy a house or a car and then decide that you don’t need locks on any of the doors. The reason we have file permissions, registry permissions, user right assignments, and the like in Windows is to limit ourselves to only having the rights we need on a system that are necessary in order for us to do our jobs. We shouldn’t have any more or any less rights than are necessary. But when we give our end users administrator rights, it is like we’ve just taken all the locks off the doors and given those users the ability to go into any room of the house without our permission.
Ok, so beyond the simple answer, what else could happen on a machine if we allow users to be local administrators of their machines? Here are just a few of the things that could happen:
- System files can be accessed or changed.
- Program files or program configurations could be modified.
- Software that is not approved could be installed, and won’t be maintained.
- Malicious code can be installed with unlimited rights.
- New, unapproved user accounts could be added to the system.
- Password policies could be subverted.
- Security controls such as anti-malware, firewalls, removable media controls, could be disabled.
