Problem solve Get help with specific problems with your technologies, process and projects.

Should employees have local admin rights?

While it may save you time, granting users local administrator rights also puts your organization at risk. Discover why this practice is considered a risk and learn alternate access control methods you can use to safeguard your organization.

We recently switched to allowing only Power User rights on notebook computers. We have a set of notebooks we loan...

out to employees with desktops when they need to travel. Currently, those users login with an account named "loaner" and use scripts and webmail to access the network. Discussion has come up that those accounts should have local admin rights in case a user is stuck at a remote location and needs the rights. Should we grant them local admin rights?

Unfortunately, the convenient and easy access you want to provide to your laptop users also provides the same convenience and accessibility to those with malicious intent. Also, a malicious user doesn't even have to hack into a laptop they just have to steal it. Once it's in their possession, they have access to any company information on the laptop, including sensitive customer and employee information, confidential company plans or a host of any other privileged information. A prospective laptop thief can also hang around an airport lounge or Starbucks, for example, and wait to steal an unattended laptop. Again, no hacking tools or fancy network tricks are required.

The other access control method you mention for your floating laptops -- a single user ID and password for all the laptops -- also creates opportunities for malicious access and use. While it may be a hassle to set up, each user -- not each laptop -- should have their own unique user ID and password for accessing their account on the laptop. Set up an access management system for this. Otherwise, from an information security perspective, you'll have a single point of failure. If one laptop is compromised, the thief can access any other laptop.

If for whatever reason, either business or technical, you want your users to have the local administrative rights, make sure you have disk and file encryption in place.

One popular enterprise tool is SafeBoot. It's available for many different types of mobile devices, not just laptops. If a laptop has SafeBoot, unless they have the right logon credentials, or user ID and password, all they'll get is an encrypted drive with useless scrambled data. PGP, another vendor, offers a similar product for disk encryption.

Also, before installing any encryption software, conduct a thorough risk analysis of the data that resides on the laptop, and ask yourself the following questions during this process:

  • Who is using the laptop and why?
  • What is the laptop being used for and what data is carried on it?
  • Is the data sensitive customer data, or marketing presentations with publicly available information about the company? This will determine the risk level and whether disk encryption is even worth the cost.
  • Can the laptop be used for accessing the corporate network from a remote location? If so, how much access is granted? Is it for accessing e-mail, or for going deeper into company file servers with sensitive information?

More on this topic

Visit our resource center for news, tips and expert advice on improving Web access control.


This was last published in May 2006

Dig Deeper on Web authentication and access control