Use least privilege Access For Most and Users
Rather than follow the least privilege law that says that only certain people need to have admin rights and that you should delegate rights to people based on their work needs, many companies are giving everyone in the company full admin privileges! What are the reasons that so many companies offer full admin rights to their end users?
Some of the programs that are on the system will only run when a person has full admin rights. Rather than give the admin rights to everyone, limit it to the people who have actual need of that program. Another reason that companies allow admin rights for more people is so that those individuals will be able to change the time and date on their computers to the correct time zone. This is something that the IT department can do remotely, so there is no reason to allow users to do this. Another reason is so that the employees and install their printers and other devices to the system. Again, this is something that the IT department should be doing.
While some of these reasons may be valid, you need to realize that it greatly increases the risks to your system, and it can cause a host of other problems. One of your end users who is angry with the company or one of their managers might decide that it would be a good idea to remove all of the printers on the system. This could take hours to correct.
You will find that when you add laptops to the equation, even more people have full access rights to the system. Companies seem to believe that when people are working out of the office, they might to have this access, but this just introduces even more risks to your system. As with the desktops that are at your company, you will want to employ the least privilege rule to the portable computers.
Reducing the number of people with all of these rights with the concept of least privilege means that you can easily and quickly shore up your security. Password management software can further reduce the risks. Determine which of your employees truly needs to have fill admin access to the systems. You will find that not many people do – it will mostly be the IT department. Reduce the admin rights of other people so that they only have the right amount of access in order to do their jobs.