Ask the Expert

Should employees have local admin rights?

We recently switched to allowing only Power User rights on notebook computers. We have a set of notebooks we loan out to employees with desktops when they need to travel. Currently, those users login with an account named "loaner" and use scripts and webmail to access the network. Discussion has come up that those accounts should have local admin rights in case a user is stuck at a remote location and needs the rights. Should we grant them local admin rights?

    Requires Free Membership to View

Unfortunately, the convenient and easy access you want to provide to your laptop users also provides the same convenience and accessibility to those with malicious intent. Also, a malicious user doesn't even have to hack into a laptop they just have to steal it. Once it's in their possession, they have access to any company information on the laptop, including sensitive customer and employee information, confidential company plans or a host of any other privileged information. A prospective laptop thief can also hang around an airport lounge or Starbucks, for example, and wait to steal an unattended laptop. Again, no hacking tools or fancy network tricks are required.

The other access control method you mention for your floating laptops -- a single user ID and password for all the laptops -- also creates opportunities for malicious access and use. While it may be a hassle to set up, each user -- not each laptop -- should have their own unique user ID and password for accessing their account on the laptop. Set up an access management system for this. Otherwise, from an information security perspective, you'll have a single point of failure. If one laptop is compromised, the thief can access any other laptop.

If for whatever reason, either business or technical, you want your users to have the local administrative rights, make sure you have disk and file encryption in place.

One popular enterprise tool is SafeBoot. It's available for many different types of mobile devices, not just laptops. If a laptop has SafeBoot, unless they have the right logon credentials, or user ID and password, all they'll get is an encrypted drive with useless scrambled data. PGP, another vendor, offers a similar product for disk encryption.

Also, before installing any encryption software, conduct a thorough risk analysis of the data that resides on the laptop, and ask yourself the following questions during this process:

  • Who is using the laptop and why?
  • What is the laptop being used for and what data is carried on it?
  • Is the data sensitive customer data, or marketing presentations with publicly available information about the company? This will determine the risk level and whether disk encryption is even worth the cost.
  • Can the laptop be used for accessing the corporate network from a remote location? If so, how much access is granted? Is it for accessing e-mail, or for going deeper into company file servers with sensitive information?

More Information:
 

  • Visit our resource center for news, tips and expert advice on improving Web access control.

This was first published in May 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: