Challenge of Eliminating Administrator Rights when the User Owns their Computer, by Greg Shields

by Mary Rose 29. October 2010 09:08

Greg Shields recently was the featured speaker on a webinar that we sponsored, Best Practices for Eliminating Administrator Rights, and one of those loaded questions came in from the audience.  You know, the type of question that "makes you go hmmmm..."  Well, Greg pondered it a bit and posted this well thought out, practical response on his blog yesterday.  In my opinion, he really hit home with the last sentence, "Most rational people just want their computers to work.  If your assistance will make them work better in the long run, then the likelihood is high they’ll be OK with their new administrator-less reality."

Here's the complete post:

Off-Topic: The Challenge of Eliminating Administrator Rights when the User Owns 
Posted @ 10/28/2010 4:26 PM By Greg Shields 

Problem is that the real world knows that on versus off mentality just won’t fly any more.  Its for that reason why I was recently asked to present a webinar (which you can view on-demand here) on exactly these challenges.

There were some unfortunate technical difficulties that precluded my helping out with the post-event Q&A.  For which I’m greatly disappointed, because one of the people watching asked this intriguing question:

How do you justify to "professionals" (e.g., lawyers, doctors, faculty) the removal of control of "their own" computers?

The person who asked this question nailed privilege management’s “people” problem right on its head.  Namely, that all people are reticent to give away rights when they feel a sense of ownership.  If a user’s computer belongs to the company and not them, they’ll argue less when you pull their privileges.  At the very least, they’ve got no leg to stand on when you do.

But when that computer is actually owned by its user, pulling their privileges is a lot like taking someone’s car keys away.  They still own the car, but they can’t drive.

It is in exactly this situation where the art of privilege management enters one of its most challenging grey areas.  Challenging, because of the obvious ownership issues; grey area, because the good of the public is arguably better served by inconveniencing the good of the individual.

There are no technical answers for eliminating administrator rights in this situation.  There’s no script I can suggest you run or box you check in an interface.  But there are appeals to the greater good that can work.  Namely, the assertion that centralized control of computers automatically creates a more stable environment for all.  Note that I didn’t say “more secure” here.  Pulling those rights absolutely is more secure; however, in this case of ownership “security” holds less of a societal guilt trip than the realization that one person’s actions could impact the safety and stability of others.

In short, how do you make that justification when the user owns their computer?  Easy:  Guilt.  Or, more specifically, a passionate appeal to that notion of the greater good.  At the same time, we all know that everything in life is a give/get.  Thus, in doing so, you must also give that person the assurance that they’re going to get a better experience in the end out of the trade.  By taking their rights away, you’re promising that you’re also taking their problems away. 

Most rational people just want their computers to work.  If your assistance will make them work better in the long run, then the likelihood is high they’ll be OK with their new administrator-less reality.

Catch up with @ConcentratdGreg on Twitter!

Be the first to rate this post

  • Currently 0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

Tags:

Comments

Powered by BlogEngine.NET 1.4.5.0
Theme by Mads Kristensen

Calendar

<<  November 2014  >>
MoTuWeThFrSaSu
272829303112
3456789
10111213141516
17181920212223
24252627282930
1234567

View posts in large calendar

About Viewfinity

Viewfinity provides privilege management and application control for desktops, laptops and servers, empowering enterprises to meet compliance mandates, reduce security risks, and lower IT costs. The Viewfinity solution allows enterprises to control end user and privileged user rights for applications and systems which require elevated permissions. Viewfinity's granular-level control enables companies to establish and enforce consistent policies for least privilege Windows-based environments based on segregation of duties. For more information, visit www.viewfinity.com.

Follow us on Twitter: viewfinity
Find us on LinkedIn: www.linkedin.com/companies/viewfinity
Become a fan on Facebook: www.viewfinity.com/facebook