In the children’s fairy tale Goldilocks and the 3 bears, Goldilocks picks the porridge that is not too hot and not too cold, but the one that is just right. Goldilocks also found a chair that was too big, one that was too small, and then one that was “just right”.  In a similar way, organizations should looks to find the “just right” level of lockdown on desktops.  

When end users have full administrative rights on the endpoints, the desktop is much more vulnerable to malware. Systems where the logged on user has administrator rights are much more acceptable to zero day attacks because a large amount of malware that exploits vulnerabilities in applications can only works when the user has local administrative rights. Users that have administrative rights on they systems are also much more likely to install unauthorized software or make configuration changes that lead to system instability. Business sensitive information is much more vulnerable when accessed on these systems. In effect the system is “too hot”. 

When there is no way for the user to perform some approved tasks such as defragmenting the disk, installing an approved set of applications, or installing an approved activeX control, the user's productivity is impacted. Users have to request intervention for even mundane maintenance tasks and this can lead not only to increased support calls but also end user frustration. In this case the system is “too cold”.

An effective privilege management solution can help balance security and data protection concerns with end user productivity and personalization for a “just right” solution.   Privilege management is designed to enable organizations to control the rights of specific processes and specific user actions. For example an organization can set a policy that any activeX control that is signed by Adobe may be installed without the user having to be a local administrator. Organizations may want their users to be able to perform tasks such as installing approved software that is stored on well controlled servers.