Should employees have local admin rights?

BROWSE BY TAG Identity Management and Access Control,   Web Authentication and Access Control,   Enterprise Identity and Access Management,   Expert Archive: Identity Management and Access Control,   VIEW ALL TAGS

RELATED CONTENT Identity Management and Access Control How to find and remove keyloggers and prevent spyware installation How to encrypt passwords using network security certificates Prevent meet-in-the-middle attacks with TDES encryption How to use single sign-on (SSO) for a server configuration Choosing management for Active Directory user provisioning LDAP signing requirements for various directory configurations User account best practices for an investment management website How to determine password strength for a website The pros and cons of implementing smart cards Keep files from being deleted by assigning read and execute permission Web Authentication and Access Control Yahoo login credentials at risk to hijacking attack Group to shed light on secure identity management threats IT business justification to limit network access How to confirm the receipt of an email with security protocols Schneier-Ranum Face-Off: Is Perfect Access Control Possible? Kaminsky reveals key flaws in X.509 SSL certificates at Black Hat Changing times for identity management How to use single sign-on for Web access control to prevent malware IBM USB banking device stops keyloggers, malware Can mutual authentication beat phishing or man-in-the-middle attacks? Expert Archive: Identity Management and Access Control Enterprise password management policy: Finding the balance How to conduct a periodic user access review for account privileges Options for a mechanical door security system on a server room door Comparing access control mechanisms and identity management techniques User provisioning and SSO for PeopleSoft- and Unix-based products Could someone place a rootkit on an internal network through a router? Should a new user have to confirm an email address to gain access? Can home PCs provide a way for viruses and spyware to enter a corporate LAN? What should an enterprise look for in a password token and a vendor? Using batch files for temporary user access to the local admin group

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary access log  (SearchSecurity.com) anonymous Web surfing  (SearchSecurity.com) authentication, authorization, and accounting  (SearchSecurity.com) identity chaos  (SearchSecurity.com) knowledge-based authentication  (SearchSecurity.com) multifactor authentication (MFA)  (SearchSecurity.com) walled garden  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

EXPERT RESPONSE FROM: Joel Dubin, past SearchSecurity.com expert Pose a Question Other Security Categories Meet all Security Experts Become an Expert for this site

ANSWERED April 2006:

Unfortunately, the convenient and easy access you want to provide to your laptop users also provides the same convenience and accessibility to those with malicious intent. Also, a malicious user doesn't even have to hack into a laptop they just have to steal it. Once it's in their possession, they have access to any company information on the laptop, including sensitive customer and employee information, confidential company plans or a host of any other privileged information. A prospective laptop thief can also hang around an airport lounge or Starbucks, for example, and wait to steal an unattended laptop. Again, no hacking tools or fancy network tricks are required.

The other access control method you mention for your floating laptops -- a single user ID and password for all the laptops -- also creates opportunities for malicious access and use. While it may be a hassle to set up, each user -- not each laptop -- should have their own unique user ID and password for accessing their account on the laptop. Set up an access management system for this. Otherwise, from an information security perspective, you'll have a single point of failure. If one laptop is compromised, the thief can access any other laptop.

If for whatever reason, either business or technical, you want your users to have the local administrative rights, make sure you have disk and file encryption in place.

One popular enterprise tool is SafeBoot. It's available for many different types of mobile devices, not just laptops. If a laptop has SafeBoot, unless they have the right logon credentials, or user ID and password, all they'll get is an encrypted drive with useless scrambled data. PGP, another vendor, offers a similar product for disk encryption.

Also, before installing any encryption software, conduct a thorough risk analysis of the data that resides on the laptop, and ask yourself the following questions during this process:

• Who is using the laptop and why?
• What is the laptop being used for and what data is carried on it?
• Is the data sensitive customer data, or marketing presentations with publicly available information about the company? This will determine the risk level and whether disk encryption is even worth the cost.
• Can the laptop be used for accessing the corporate network from a remote location? If so, how much access is granted? Is it for accessing e-mail, or for going deeper into company file servers with sensitive information?

More Information: