Ok everyone, let's solve this once and for all: Should your users be local admins?

It happened again over the weekend. I was talking to someone about VDI versus Terminal Server, and they said, "Yeah, but at least with VDI, I can just give my users admin rights and not have to worry about anything.

It happened again over the weekend. I was talking to someone about VDI versus Terminal Server, and they said, "Yeah, but at least with VDI, I can just give my users admin rights and not have to worry about anything."

After I recovered from the mini heart attack I had in reaction to hearing this, I thought "This has got to stop! People need to learn that letting regular users have admin rights (VDI or not) is a colossally stupid thing to do."

Or is it?

Back in the old school days of Windows computing (where each user had their own desktop), we didn't really pay too much attention as to whether we gave users admin rights. Some companies did. Some companies didn't. But when Terminal Server came on the scene in the late 1990s, we had to take admin rights away from our users, since a single user with admin rights on the server could do bad things that would negatively affect everyone.

But as some vendors started pushing VDI in the last few years, one of the "pro VDI" arguements we started to hear was that VDI was somehow "simpler" than Terminal Server because all your users can have admin rights on their VMs (since a bad user with admin rights on one VM wouldn't affect other VMs). This is something that might seem ok at first, but after giving it some thought, you realize it's a really bad idea.

My question is, how bad is it? If we let typical users run with local admin rights within their desktop VMs, what kind of bad things can they do? (For example, I think Rick Mack said something like 90% of the Windows Update security vulnerabilities wouldn't apply if a user was running as a non-admin.)

Or is it really ok to let users run as local admins?

I understand this is a complex issue. And whether users can run with admin rights in any particular environment depends on how disk images are managed and whether users need to be able to install their own software and about fifteen other things. But in general, do you think this is a good idea?

Before we get into the discussion, I want to apply my standard VDI disclaimer here: I'm not saying that VDI is bad or that it has no place today. However, if you want to use VDI just because you're lazy and you don't want to figure out real security--that is a very bad thing.

Join the conversation

18 comments

Send me notifications when other members comment.

Please create a username to comment.

Pro- could not find any 100% pro stuff as I'm probably not aware of local user right limitation...


Pro or Con- if you are using something to automatically reset the workstation like Provisioning Server, you can let the local admin right to the user...


Con- it give user access to some information you rpobably didn't to provide to them (like Citrix Application Streaming file cache) or so on... It didn't solve the "patch tuesday" question  unless you got something to update the base image...


Cancel

There is no definitive answer to this question, as it really depends on your environment. I work for small ISV & IT Service provider.


Our administrative staff (billing, HR, executives) does not have local admin rights, our developers and technical personnel however do. It's a good compromise between security and flexibility.


For our customers, it really depends on how they work and what they do: Some of our customers consist of a largely administrative staff that just uses Word, Excel and ERP. Not using local admin rights there is a breeze. Some of them also use TS.


Other customers however have lots of technical personnel that works on the road, and uses their laptops to interface with a variety of machinery - for example, one of our customer services manufacturing machines - for that, he needs a lot of programs, one per machine, that are updated very often (weekly, monthly).


Most of these customers are small - they do not have their own IT staff that would have time for weekly updates of some program. So they get local admin rights too.


Other customers insist on giving everyone admin rights so they can install whatever software they want (they're also the kind of customer were i have to send someone to reinstall their machines often).


Give local admin rights to people who need them. Defining "need" is not easy, of course. However, do not give local admin rights just because you're to lazy to customize some permissions for legacy applications (and complain to the vendor - A LOT).


Cancel

To me it all comes down to recommendations, and from me it is always to keep users as non-admin users whenever possible. the 2 main challenges i see is


1. Applications written poorly and customers not being willing to invest the time and money into finding a solution or working with the application vendor to find a solution.


2. Force of habbit.. if people have been used to admin-rights, being able to change whatever, install whatever..


In these cases it is tough to argue that desktop users should convert to non-admins. Typically the IT-Department is a service-department not a profit-department, so the are put in the world to keep costs as low as possible but keep the users as happy as possible..


On a side note i actually think that most of the security-risk involved with the local-adminrights from a corporate view is located around users being tricked to install malicious software without their knowledge. I think the User Account security measures that Microsoft has taken with Vista is actually a step in the right direction to be able to allow users admin rights.. seeing as they can now take responsibility for their actions, as they have agreed to elevate permissions to administrator.


I am not saying it is now time to let every desktop user have admin rights, but i think it is a great move in the right direction...


(not mentioning all the trouble it is also causing us)


Rene Vester


Cancel

So what do you do when you have an application that will not run unless the users is an Administrator?  Let's take UPS Worldship for example.  UPS is a huge organization and they can ship packages reliably to any part of the work on time, but they can't program crap for PCs.  For this particular case we ended up using RES Powerfuse to lock down the account.  So while the user may be a local admin, they can't do squat.


There are ways to mitigate a local admin requirement.  VDI is one way, but an expensive way considering there are alternatives.


Security is a long drawn out process.  It can be complex, tedious and boring.   Does anyone really want to sit down with the end user for a week for each app so you can identify what process are running and child process are spawned?  What about going through every file and identifying the minimum ACLs needed for each but still allow the application to run properly.  Then go through and troubleshoot because you flag a file/registry location as read only but the API used opens up the object as read/write even though nothing is every written (by the user).   Weeks later,  a Service Pack the company has been waiting for comes out.  Unfortunately,  the size of the SP looks slightly larger than the original installation package.


It all depends on your circumstances.  For some organization,  they don't want the end user to feel restricted.   If they want to download and evaluate software then more power to them.  The catch is,  as soon as the user logs off (or session expires) all of their changes are gone.  If the end user finds something they can't live without,  they can always start the process and make a formal request.


Joe


Cancel

After administering TS and Citrix for over a dozen years I have become sort of an expert on making an app run as a local user.


Usually it is just registry or file permissions that need to be modified to make an app work.


I am against giving users local admin rights.


1> They don't need to install software that is not work related.


2> They don't need to have full remote access to other machines on the network that is just begging for malware attacks.  (Most people just give domani users local admin rights on the boxes, which means any box they have access is a problem)


3> This doesn't apply everywhere.


99 percent of your users should be able to get by as a regular user on a machine, your IT people and software testers may need more.  But only sparingly.


*off soapbox


Cancel

On the other hand the economy is crap, giving users admin rights is like our own stimulus package for IT.


Cancel

Admin rights or not, I think it really comes down to a matter of administration. What level of overhead is acceptable in managing your users desktops, physical or virtual. For my money, if the desktop is dedicated to the user, than restricted rights would make sense. However, if you are using non-persistent desktops and whatever the user done is obliterated upon logout, then I would imagine it wouldn't matter much.


Cancel

This is pretty easy to answer especially for a Unix/Linux guy like myself.


Yes, if they require the privilege and understand it's responsibilities.


No, if they don't require the privilege and do not understand the responsibilities.


I have 170 users, 5 locations, Citrix (soon to be Parallels Virtuozzo VDI), workstations, and laptops.  Only about 8 of my staff 'require' local admin privileges.  Otherwise, all other staff are normal users with Windows XP Pro SP3 using Lotus Notes 8.5, MS Office 2007, IE 7,  and other apps without any problems.  I'm also the lone administrator.


Cancel

I'm fundamentally against allowing typical users to operate day to day as a local administrator.  The PC is the primary tool used in business today, unless you're a racecar driver, UPS/Fedex Driver.  In the case where you are a racecar driver or UPS/Fedex you surely are not allowed to modify your vechicle the way that you want, because you want to.  Your company says you're driving vehicle X, and that's it.


Now there usually is a morale boost by allowing users to personalize their PC in minor ways, as it makes them more productive, just like you'd allow the UPS/Fedex driver to adjust their seat, change the radio station...


I have never come across an application that I could not get to work with less than Power User rights, File System and Registry Permissions.


Now there are IT people that will say "I have a zillion applications and it's easier to just make everyone administrators".  That's a choice they make, but not one that I agree with.


I contend that users that are local administrators generate more helpdesk calls than non-administrators, except when those users are IT staff who know how to fix their own application and OS issues.  That alone should be enough for the business to consider locking down the OS.


There are all kinds of GPO settings that can be used to lock down the OS and shell, but the basic and effective starting point for system lock down is to not allow users to write to %SystemDrive% or %ProgramFiles%.


The default file system permissions on 2000, 2003 and XP allow Users to write to both of these locations. This introduces the possibility of users creating their own local file system which you'd have to backup, or installing unauthorized software that creates more helpdesk calls, opens up the company to potential litigation for running unlicensed software, and is a security risk as most viruses, spyware & malware won't install without write permissions to these areas.


I will also contend that users should get a fresh user profile at each logon, and IT should authorize what user's are allowed to personalize and retain from session to session.  This is often referred to as a "hybrid user profile", and can be managed with the free Flex Profile Kit from Login Consultants, or or with a supported User Profile Management system like exists in Quest vWorkspace, or in other 3rd party tools.


These User Profile Management tools keep the ntuser.dat file nice and small, provide fast logons, a stable work environment, allow user to customize some things and reduce helpdesk calls.


Cancel

It appears those who are answering "no" to giving users admin rights are living in the 19th century and with power/control issues. That's the epitome of the old IT who has no idea what's transpiring around the world and whether they will have a job in the future.


Companies like Google have an IT model that will kick all of your old IT stone age rules to the side. There is no standardization on equipment and their IT will support whatever. And so far, their model is working much better than all the control freaks.


Users outside of work already have full admin control over their PCs. To assume that you are superior and your users are not are the problems today with IT. I have not seen an IT org that's been truly a service organization to the company. Most of these IT org are narrow minded and self absorbed.


Cancel

Interesting analogy Patrick...  I would have to say that UPS\FedEx drivers are the equivalent of local administrators of their vehicles.  The driver may not own the vehicle but does have complete control of it when it's in their possession.  Sure their are corporate policy in place that state drivers cannot make modification to vehicle, but there is nothing that is prevents the driver from taking a small detour, stop and paint flames on the side of the truck.  The driver also has the ability to speed, cut people off and run red lights.  All against corporate policy and of course if the driver violates the policy the appropriate disciplinary actions are taken.


The same goes for PC... Companies have usage policies in place.  Just because the end user has the physical ability to install applications doesn't mean they are allowed to.  The nice thing about computers is we are able to enforce these policy as the infraction occurs in most cases.  For those instances where this is not possible, you go back monitoring and alerts.  Much like a tracking device can be used to monitor the drivers driving habits and routes.


Instead of a UPS/FedEx truck we switch to racing.  The driver and crew chief absolutely need the freedom to make changes to the car.  It would be a bit much to ask permission of the car owner to change tires in the middle of a race.  In a way it's expected.


For the most part, the local administrator access requirement from an ISV can be mitigated by tracking down specific objects that need elevated permissions.  I think its a cop out that ISVs recommend administrative rights in order to band-aid bad/poor programming practices.  It's easier for them to circumvent the security measure in place than fix the issues.  My guess is they simple don't know how.


There have been a few apps (2 maybe 3) that after days of profiling, the application simply would not run with any short of administrator rights.  Even with All (minus Administrators, plus Power Users) the local group selected, a complete wide open registy and file system, the accounts added to User Rights Assignments and the local security policies relaxed nothing.


I agree,  local admin right for users = bad and should be avoid at all costs.   But what do you do when your hands are tied?


Joe


One customer didn't care and didn't want to pursue the issue further and another went with RES Powerfuse.


Cancel

Google is not your typical company so I wouldnt draw comparisons.


If you are giving local admin to say a non persistant desktops, then you have a risk during the session that you need to be willing to accept.


Also you have to think about how you are giving this admin access... if you are simply doing a wham bam add domain users group to local admins then you have privacy issues between machines in the pool with remote connections/services....


In this case you would need to put in local sec denies to ensure clients cant intefer remotely with other machines.


Cancel

My $0.02 is that it should be based on user requirements and historical data. Remember these aren't "your users" they are people you help to do their job.


Depending on the user base mix (education/culture/generation) only analysis will tell you what the best way to move forward is.


An organisation must understand what it actually needs to control, in my opinion it's the application and data space and those elements are best "delivered and not installed" (that ole chestnut!) but it will differ.


For anything to be successful you need a shared responsibility for the "health" of a device. This needs to be clearly communicated so all expectations are established up front.


An interesting topic and actually made me get off my a@@ and register!


Cancel

How about Citrix' new vision that employee-owned laptops and computers will be commonplace? I think that's happening more than most realize.That pretty much assumes local admin rights will be assigned for the owner. Solutions like NAC (Network Access Control) should be put in place to protect against computers gone foul, but give (most) users the ability to connect with their own computers. Let the security measures lie in the network, data centre, and written policies. This means that if an employee-owned laptop (with admin rights) is accessing their VDI desktop, there should be some measure of lockdown on the virtual computer but let the user customize their own computer however they want.


Cancel

Don't forget that using Microsoft WSUS, an admin user can ignore security updates and so potentially risks compromising their machine & your network.


Personally I'm for all for giving users the bare minimum rights necessary, that means no admin rights unless they have a very good reason. We have one or two users who generate large numbers of Helpdesk calls because they are forever tinkering with their PCs, 'because they can'.


Cancel

LOL!  I find it interesting that most of the posts above deal with having Power or Control over your environment.  Maybe my point of view is different or maybe it's the same, however, for whatever it's worth, here it is.


Security is about mitigating RISK without sacrificing REWARD.  Security for Security's sake is, IMHO, often more harmful to the business than it is helpful.  Today's business world needs to be MORE flexible, not less.  The business needs to be able to REACT to their customers demands or marketplace conditions quickly.  At times this is RISKIER than at other times, but then balance that against the REWARD.  


This applies everywhere ... CIA, DOJ, Jonnies Express Mart ... Obviously some environments where there is RISK there is NO REWARD (think DHS, CIA, NSA, etc.) but you wouldn't apply those same security measures to Jonnies Express Mart.  Financial Institutions need to be more secure, BUT at times flexibility is necessary ... you mitigate those risks in other ways, ie. NAC, NAP, AV or AM (malware), VPN, encryption, enforcible usage policies, etc.


Remember, if a sales engineer loses a customer/sale because he/she couldn't do something with the equipment that was provided to them so they could do their job, guess who's going to get smacked in the head?


Most of the "never give a user admin access" reasons above are mitigatable in other ways.  Joe's examples clearly show that Usage Policies need to be written specifically for the tinkerers and WSUS concerns... hey ... WSUS is trackable and if a user continues to "cancel" bring it up to his boss with evidence.  same goes for tinkerers ... show their boss the constant HD calls and escalate if necessary that this person is STEALING company resources.  The flip side to that though is that you WANT your users to come to you when they are having problems.  


As engineers, admins, security specialists, whaterver, our job is to support the business.  If the business says "we'll take the risk"... well... get it in writing...  :)


Cancel

It's nice to know where all the evil "CCCP" went after the fall of the wall.. They all now work with IT restricting users freedom ;)


Cancel

User's should not be allowed local admin.  As a general rule anyhow, of course their are exceptions.


The issue is that granting local admin rights will expose OTHER problems in your company.  For example -- if the staff is not engaged and doing their job -- they might be surfing junk and installing software for the heck of it.  Next example: if you have less experienced workers (or lets face it, maybe some just aren't as attuned/smart and will never be) then they will install stupid stuff EVEN though they think it is okay or right or necessary to do their job.  They will get fooled.


If there are no weaknesses in your users and they are experienced, they are motivated, they are smart and they care -- then local admin rights might be fine.


Cancel

-ADS BY GOOGLE

SearchVirtualDesktop

SearchEnterpriseDesktop

SearchServerVirtualization

SearchVMware

Close