Before Windows Vista, there were several technical problemsassociated with using Windows without administrative privileges. But with the emergence of User Account Control inWindows Vista, 7 and 8, some organizations have eliminated adminrights altogether.

This has left many stuck either believing Windows users musthave either full – or no – control of their PCs, resulting inunexpected technical problems or mutiny in the ranks. Giventhe extremity of these responses, neither really lends itself toenhancing both organizational security andproductivity.

To do this, I recommend the approach of least privilege, whichtakes into account security and productivity by granting users onlythe rights necessary to carry out their jobs. Even so, theact of curtailing rights, even moderately, nearly always results insome amount of user pushback – if not managed and communicatedeffectively.

Change and Company Culture

The unfortunate reality is, at some organizations, ITdepartments are met with resistance at every step with employeesdemanding unrealistic levels of service and autonomy. This can beespecially problematic as organizations migrate to a leastprivilege approach. But there are measures that can be taken tocommunicate the benefits of least privilege to the organization atlarge, reducing friction between end users and the ITdepartment.

For one, create a portfolio that outlines the services the ITdepartment provides and what users can expect from the transition.For example, lay out reasonable timeframes for how long it willtake to receive responses on requests to install software andexplain the business reasons for rejecting such an ask. Yourportfolio should also contain a list of authorized software andhardware.

This foundation will make the move to least privilege easier forboth the IT department and users.

It's worth noting, while least privilege is quick andresponsive, users will have to be prepared for a corporateenvironment in which everything is not on instant offer.

Taking this into account, it's best to be honest and openregarding any delays that are due to a more careful considerationof additions to the desktop. This helps end users realize theirrequests are not being ignored or backed up due toinefficiencies.

Keep in mind, users may have to be weaned away from “fast foodsoftware,” so it's best to make sure they know that their requestmay have residual effects on others that the organization must planfor.

Beyond software, it's important to also develop a policy onhardware. Otherwise, organizations may be confronted with increasedsupport costs related to acquiring a number of disparate devices,configurations and drivers. Specifying particular brands that usersare permitted to purchase helps minimize support and compatibilityissues.

Remember, all of the software and hardware which an enterpriseintends to deploy needs to be thoroughly checked beforehand toensure compatibility with all other deployed software, devices andperipherals.

Essential Management Buy-In

Backing from senior management is crucial for a successful leastprivilege security desktop project. For the successful backing fromsenior management, the business benefits of least privilege, suchas reduced IT support costs and increased productivity, should beemphasized over purely security or technical gains.

To do this, gather data from a pilot project where select usersare transitioned to standard user accounts. Other business benefitsmight include compliance with industry regulations or standards,such as the Payment Card Industry Data Security Standards(PCI DSS), the Health Insurance Portability andAccountability Act (HIPAA) or Sarbanes-Oxley(SOX).

Desktop refresh projects, such as moving to a new operatingsystem, are often used as a vehicle to implement least privilege.Doing so also increases the chances of acceptance from end users,as an operating system upgrade is almost always supported.

Inevitably, there will be users and managers who believe theyshould be exempt from the least privilege security project, withoutany solid justification. It will be at this point that uppermanagement must show their resolve and ensure no exceptions withouta valid business reason.

Driving User Acceptance

If it's difficult to share files, users find workarounds even ifit breaks company policy, such as telling colleagues their accountpasswords or using removable USB drives. IT policy should bebalanced so that users can do what they need without anysignificant barriers – and that applies equally to security.

By rolling out a well-documented least privilege policy with aproper education, users are likely to realize why it has been putin place and organizations can properly defend against breaches ormalware. Employees should understand how running as a standard usercan increase productivity, improve the company's bottom line andprotect customer data. Here's an analogy that you can use tohelp:

In the same way traffic laws map out the acceptable roadbehavior, least privilege security on the desktop provides ruleswhile enabling users to carry out their responsibilities in atimely manner without crashes or breakdowns.

In organizations where IT policy hasn't been enforced or whereusers expect to have full autonomy over PCs, the transition toleast privilege desktops must be carefully planned, so the ITdepartment doesn't face a user revolt.

Make sure to set users' expectations accordingly – before theyarrive to work one morning to find their admin privileges have beenremoved.

Paul Kenyonis chief operating officer at Avecto in Andover,Mass.