So now that we know the problems in letting the users work with default administrative accounts, here are some simple guidelines that should be followed in order to avoid these issues.
All users and developers should work as standard users
In-house developed software is written to work for standard users. If developers themselves are given privileges of a standard user, then the applications they develop will be tested and validated against their systems from the starting itself.
Minimize the number of administrators
You cant completely eliminate the local administrator account and even the title "Least Privileged User" tends to make the users feel controlled. So it is better to educate the users what it means to be a standard user and the benefits of it.
All application binaries (.exe, .com, .dll, .ocx) should be written to Protected folders
The above mentioned application files should be written to "Program Files" folder only. Like the operating system files are protected in C:WINDOWS folders. Other operating system files should be written to C:WINDOWS folder or subfolders only.
Deployment and management of computers should be centrally controlled and automated
Routine tasks like applying software updates and distributing software applications should be done from a central location. This helps in maintaining a known and consistent state of all the computers in the environment and makes testing, deployment and troubleshooting easier and helps in reducing helpdesk calls.
Implement an operating system with an automated process for running software as standard users.
Windows Vista and Windows Server® 2008 both have the ability to run software even if it was not written for standard users. Through UAC, file and registry virtualization, applications can run in the context of a standard user even if they were designed with administrative privilege requirements.
Computer hardware should be uniform as possible.
In order to simplify deployment and management, it is ideal to have to have an established standard hardware specification or list of approved models. This helps reduce costs associated with migrations, eases troubleshooting and simplifies any necessary re-imaging.
Anti-malware signature files should be automatic and promptly installed.
When administrator accounts are used by most users, they often install multiple engines for detecting malware elements such as spyware.
It is a good idea to have a single, standard anti-malware solution and to ensure that the solution is up-to-date using centrally controlled mechanisms.
Operating system updates and hotfixes should be installed quickly and automatically.
Updates can be critical to system security, performance, and reliability. If user accounts are default administrators and users can change their systems in an unmanaged way, it is very difficult to test and know which conflicts may be present on end-user desktops or determine in advance whether software updates will be successful on all computers.
If you follow these recommendations, it can be easier to implement standard user accounts and ultimately manage your desktop infrastructure more efficiently.
In my next blog we will see how Windows Vista can help
us do most of these tasks easily and thus help us manage the desktop infrastructure in an easy manner.