User Rights Management: Giving Users the Ability To Access what They Need

IT is increasingly being faced with the problem of users having administrative rights on their personal desktops. Giving them the ability to access all areas of the desktop is an accident waiting to happen, often leading to high support costs and a compromised user experience. One of the worst-case scenarios comes if security is compromised through the loss of data or an attack from malicious software that can be sitting and waiting on the network.

The typical method of enabling administrative rights today is flipping an on/off switch -- the user can either have full or no admin rights. However, in most cases, the user only needs to have admin rights to certain elements of their desktop in order to complete their task. For example, many proprietary applications -- applications that allow changes to be made to hardware settings such as network adapters, applications that allow the installation of drivers for devices like printers, and applications that write to secure parts of the registry all require administrative rights to execute. Until recently, IT has been unable to grant users this access without compromising their systems.

User rights management (URM) addresses this issue by ensuring that only certain users are able to have administrative rights to certain applications in pre-defined situations. I know this seems like a lot of elements, but this new technology aims to provide organizations with a means to balance user needs with IT cost by enabling the elevation or reduction of user rights on a user, application or business rule basis. For example, there are many legacy applications out there that still have a requirement to write data to system areas of the operating system. While these can be managed with file and registry access control lists (ACL's), it is far easier to manage them by elevating the user account.

In addition, there are many daily tasks such as changing wireless network settings, date and time, system updates, etc. that require a user to be an admin. URM is able to give users admin rights for these certain areas while restricting access to other areas that are strictly managed by IT -- letting users maintain their productivity while ensuring their time is used most efficiently and the business is not exposed to unnecessary risks and costs.

I met with a finance company in New York just this week whose approach is to elevate everything in the "Program Files" folder on the local PC, excluding Internet Explorer. This policy was due to the fact that the company in question was all too aware that elevating Internet Explorer might be a significant risk. They seemed to miss the point that the other applications may also pose a significant risk. Are they not just causing themselves a potential security risk without proper consideration?
Too little control and unlicensed software, possibly even malware and viruses, can be on an organization's network and quickly wreak havoc. Too much control and IT limits users' ability to do their jobs by making something as simple as installing a custom printer driver far more complicated than it should be.
URM provides the balance required to allow organizations to reduce management costs while giving users a greater level of personal control over a standardized environment. So let me ask you this, how is your organization currently managing this balance?

Posted by Simon Rust on 08/26/2010 at 12:49 PM