When the power of administrators managing Windows applicationprivileges crashes head-on into the needs of employees, the resultsare rarely pretty but, paradoxically, almost always hidden fromsight.

It's not over-dramatic to describe the arena in which this toand fro plays out as a silent 'battlefield' that can be describedusing one of two scenarios.

The first is not as universal as in the past but there willstill be many organizations, especially small enterprises, in whichit will still hold sway; a standard user asks to access a local ornetwork application that requires admin-level privileges (legacyapplications often assume such permissions as an uncomplicateddemand) and is given it without question.

With these privileges granted that user has just armed his orherself with a huge amount of power, both for good and ill, whichlooks uncomplicated until the user strays beyond his or her levelof competence.

The potential for users to generate security problems byinstalling, removing or fiddling with applications as they pleaseis now accepted as risky in ways that require far less explanationthan would have been the case even half a decade ago.

Nevertheless, while the world has moved on from the insecuremind set of old this has ended up creating a problem almost assignificant as the one being solved; controlling risk by lockingdown applications, and shutting off privilege escalation completelyusing Windows 7 and Vista User Account Control.

Under this second scenario, networks don't grind to a halt –application privileges aren't required for all interactions – butthere is now growing evidence that they slow down in ways thatadmins don't always see, or perhaps care to see.

Network users are now interrupted with occasional UACapplication dialogs for which they have no authorization, blockingtheir work and productivity to an extent that is difficult toestimate in terms of its harm to business.

The issue is surprisingly little discussed – employees arerarely asked for their views on using company networks, andprivilege escalation is pretty abstract for most workers – butprivilege management vendor Avecto made an interesting start with arecent survey examining the usually mysterious effects ofover-restricting and mismanaging privileges.

The questionnaire of 1,000 UK employees discovered a hidden tollon both employee and company alike, with almost one in five peoplebelieving they had missed a deadline at some point as a result ofbeing denied full access to an application, and over a quarterconvinced IT departments were not giving them the access to theapplications necessary to do their jobs.

As to the support burden, 17% said they had called IT to requestadmin rights around three to five times per year, which probablyrepresents an underestimate of the problem – many employees willonly call IT as a last resort, preferring to suffer in silence. Onein twenty mentioned contacting IT up to an energy-sapping 10 timesa year.

Admin rights are invariably withheld for security reasons andyou can see why. An astonishing 16% said they would be tempted todo the dirty on former employers by using admin credentials toaccess sensitive data.

Former employees attempting to come through the back door is nourban myth either; more than one in five said they knew people intheir organization who had attempted to breach IT securitypolicies, most likely by downloading and installing non-approvedapplications or copying and removing company data.

We always knew that there would be a significant impact onbusinesses if they mismanage user admin rights through securitybreaches, people accessing data after they leave, or expensive helpdesk calls. This survey also reveals the impact on individuals.

If these experiences are as common as they appear to be, itpaints a depressing picture of network life in manyorganizations.

Employees are stymied by inscrutable rules that probably haven'tbeen explained and which encourage them either to suffer inproductivity-damaging silence or find risky ways around thecontrols.

Admins, meanwhile, can be oblivious to the issue while stillfielding an inconvenient level of admin support requests. Money and time is wasted while, conversely, money is not beingmade.

Admins need security and certainty about what users can andcan't do; employees need speed, simplicity and above all, as fewinterruptions to their workflow as possible. Can these apparentlyconflicting needs be reconciled?

As already alluded to, the problem lies at the heart of Windows(and all established desktop operating systems), whereby users aredivided into either “standard “or “admin” accounts which definewhich applications, tasks and scripts can be run and under whatcircumstances.

A solution is to manage this through a privilege managementlayer that bolts into Windows Active Directory, assigningprivileges to applications based on defined security policies and“least privilege”.

With this admins can transform the way network users relate toapplications. Employees can be allowed to run chosen apps withoutinterruption, without being given unlimited admin rights as part ofthis process, and even offered the possibility of requestingapplications on-demand.

Users are given only the minimum privileges they need andwhitelisting can be used to lock down unmanaged alien applicationsfrom running at all.

If this offers a way out, admins should still heed the hiddenwarning that lies buried inside Avecto's employee survey results.Simply designing application policies from an admin perspectiverisks miscalculating how employees actually use and accessapplications.

To dodge this pitfall, a good privilege management system mustalso have a research or “discovery” mode able to provide data onhow applications and users are interacting with one another. It isessential to build application policies after studying the wayapplications are actually used (and perhaps abused) rather thanfrom an idealistic template based on deceptive generalizations.

Privilege management used to be seen as just another optionalmanagement layer but its benefits are finally starting to beappreciated as core to the usability, productivity and security ofWindows applications. Employees and the administrators supportingthem should be able to see applications as allies in a battle andnot as the site of a fruitless civil war.

Paul Kenyon ischief operating officer at Avecto in Andover, Mass.