Although it may not always be a popular policy, giving employees unrestricted user permissions and access to admin passwords can wreak havoc within your business and expose you to unnecessary cybersecurity risks.
The Windows admin password is the last line of defence when protecting Windows computers from malicious programs. Once the admin password is entered, the computer will have elevated privileges to make significant changes and potentially cause significant problems. You are essentially giving your employees unfettered access to virtually any area of your network or system.
It might be a brief nuisance when you want to install a program or update, the trade-off of the additional effort is worth not getting hacked.
What these restrictions really mean
Many business owners are afraid a user will be locked out of important things they’ll need on their system if they’re not an admin, but in truth, limits are fewer than most realize. Many users won’t even notice a change in their day-to-day productivity. We ensure that employees have the privileges and access that they need to perform their job but nothing additional to minimize potential misuse.
When someone is not a system admin they can’t:
- Add or remove an application
- Copy, change or delete files in protected areas of the hard drive
- Change critical operating system settings
When someone needs to do one of these restricted tasks, a technician can use a separate admin account to perform administrative tasks and log back out when they are finished. The technician will always follow and be aware of safe cybersecurity practices while performing any changes while using the admin account to keep your network secure.
What can go wrong?
A user may not have ill intents however, mistakes made while having administrative access can have serious consequences that can be time-consuming and costly to unravel. The vast majority of cybersecurity breaches are caused by human error therefore, limiting admin access can significantly reduce the scope of these issues.
Setting Can Be Changed for the Worse
Security settings can be changed, including antivirus being turned off. This leaves devices much more vulnerable to hackers and malware. This can be done accidentally by a user or because a hacker remotely accessed the device and acted as the user.
With an employee having admin access, there are no checks in place to prevent this whether intentional or not. The many layers required for cybersecurity work together to keep your network safe however when changes have been made, these systems cannot work as they are intended leaving you open to greater cybersecurity risk.
Any Program Can Be Installed or Removed
A user could think they’re installing a helpful tool they’ve found online that is full of adware or spyware. These types of programs can essentially provide a hacker with unfettered access to your network.
They can also accidentally remove a vital program required on all computers. Similar to the change in security settings, these programs can be a key component of your cybersecurity strategy and become inefficient when there are changes made by someone without the knowledge to do so.
Execute Code From Malware
A common way that viruses, ransomware, and other malware infect a system is because a user opens a malicious file attachment and has admin permissions on their user account. This gives the code the permission it needs to execute and infect critical system files that a non-administrator account would not have access to edit. Without those permissions, a malicious script that was trying to change PowerShell or other operating system files would not be able to run. These are often undetectable by antivirus programs because the user has specifically allowed them to run.
Accidentally Deletion of Vital System Files
Problems can also arise when an employee attempts to fix an issue themselves. A user with administrative privileges could delete vital system files, essentially breaking parts of the operating system. This could mean hours of lost productivity while you’re trying to track down the problem and restore the devices’ components.
Restricting admin access is one piece of the cyber security puzzle that needs to work together with many other components to successfully keep your network secure. Any additional time it takes for a technician to remote into an employee’s computer to assist them with changes requiring admin access is a drop in the bucket compared to the time lost to a cybersecurity breach. These breaches cause lost employee productivity but also can have serious financial consequences as well as damage to your company’s reputation. Our policies are designed to allow your employees to do their jobs efficiently while keeping your network and business safe and secure.
Learn more about Managed Security to keep your business secure.
Government of Canada Cyber Security Advice for small and medium businesses.