When Users, Admins and Applications go to War
When the power of administrators managing Windows application privileges crashes head-on into the needs of employees, the results are rarely pretty but, paradoxically, almost always hidden from sight.
It’s not over-dramatic to describe the arena in which this to and fro plays out as a silent ‘battlefield’ that can be described using one of two scenarios.
The first is not as universal as in the past but there will still be many organizations, especially small enterprises, in which it will still hold sway; a standard user asks to access a local or network application that requires admin-level privileges (legacy applications often assume such permissions as an uncomplicated demand) and is given it without question.
With these privileges granted that user has just armed his or herself with a huge amount of power, both for good and ill, which looks uncomplicated until the user strays beyond his or her level of competence.
The potential for users to generate security problems by installing, removing or fiddling with applications as they please is now accepted as risky in ways that require far less explanation than would have been the case even half a decade ago.
Nevertheless, while the world has moved on from the insecure mind set of old this has ended up creating a problem almost as significant as the one being solved; controlling risk by locking down applications, and shutting off privilege escalation completely using Windows 7 and Vista User Account Control.
Under this second scenario, networks don’t grind to a halt – application privileges aren’t required for all interactions – but there is now growing evidence that they slow down in ways that admins don’t always see, or perhaps care to see.
Network users are now interrupted with occasional UAC application dialogs for which they have no authorization, blocking their work and productivity to an extent that is difficult to estimate in terms of its harm to business.
The issue is surprisingly little discussed – employees are rarely asked for their views on using company networks, and privilege escalation is pretty abstract for most workers – but privilege management vendor Avecto made an interesting start with a recent survey examining the usually mysterious effects of over-restricting and mismanaging privileges.
The questionnaire of 1,000 UK employees discovered a hidden toll on both employee and company alike, with almost one in five people believing they had missed a deadline at some point as a result of being denied full access to an application, and over a quarter convinced IT departments were not giving them the access to the applications necessary to do their jobs.
As to the support burden, 17% said they had called IT to request admin rights around three to five times per year, which probably represents an underestimate of the problem – many employees will only call IT as a last resort, preferring to suffer in silence. One in twenty mentioned contacting IT up to an energy-sapping 10 times a year.
Admin rights are invariably withheld for security reasons and you can see why. An astonishing 16% said they would be tempted to do the dirty on former employers by using admin credentials to access sensitive data.
Former employees attempting to come through the back door is no urban myth either; more than one in five said they knew people in their organization who had attempted to breach IT security policies, most likely by downloading and installing non-approved applications or copying and removing company data.
We always knew that there would be a significant impact on businesses if they mismanage user admin rights through security breaches, people accessing data after they leave, or expensive help desk calls. This survey also reveals the impact on individuals.
If these experiences are as common as they appear to be, it paints a depressing picture of network life in many organizations.
Employees are stymied by inscrutable rules that probably haven’t been explained and which encourage them either to suffer in productivity-damaging silence or find risky ways around the controls.
Admins, meanwhile, can be oblivious to the issue while still fielding an inconvenient level of admin support requests. Money and time is wasted while, conversely, money is not being made.
Admins need security and certainty about what users can and can’t do; employees need speed, simplicity and above all, as few interruptions to their workflow as possible. Can these apparently conflicting needs be reconciled?
As already alluded to, the problem lies at the heart of Windows (and all established desktop operating systems), whereby users are divided into either “standard “or “admin” accounts which define which applications, tasks and scripts can be run and under what circumstances.
A solution is to manage this through a privilege management layer that bolts into Windows Active Directory, assigning privileges to applications based on defined security policies and “least privilege”.
With this admins can transform the way network users relate to applications. Employees can be allowed to run chosen apps without interruption, without being given unlimited admin rights as part of this process, and even offered the possibility of requesting applications on-demand.
Users are given only the minimum privileges they need and whitelisting can be used to lock down unmanaged alien applications from running at all.
If this offers a way out, admins should still heed the hidden warning that lies buried inside Avecto’s employee survey results. Simply designing application policies from an admin perspective risks miscalculating how employees actually use and access applications.
To dodge this pitfall, a good privilege management system must also have a research or “discovery” mode able to provide data on how applications and users are interacting with one another. It is essential to build application policies after studying the way applications are actually used (and perhaps abused) rather than from an idealistic template based on deceptive generalizations.
Privilege management used to be seen as just another optional management layer but its benefits are finally starting to be appreciated as core to the usability, productivity and security of Windows applications. Employees and the administrators supporting them should be able to see applications as allies in a battle and not as the site of a fruitless civil war.