Why administrator access should never be given to staff

Security - Computer security

We are often asked to look at the I.T. systems of a new customer, and on a depressingly regular basis we find that all users of the system have full ‘administrator’ access to their computer systems, and sometimes the entire network including servers.

This is not a good thing, but what does it mean exactly to say that a user has ‘administrator’ access?

A core feature of virtually all software operating systems, including Microsoft Windows, Apple OS X/iOS and Linux variants, is a structured system that assigns rights and privileges to users of the system. Most such systems are hierarchical, and at the top of the tree is the ‘administrator’ level which grants full access to the operating system files, folders and functions.

Users of the operating system should be granted rights and privileges that allow them to do what they are authorised by the business to do, and no more, but very few businesses define exactly what their staff are authorised to do with their computer systems. In the end, most small businesses rely on their I.T. support provider to define the access to be granted to staff, and this is where the problem begins.

A properly structured set of access controls will increase the amount of work that the I.T. support provider has to perform, and so in many cases excessive rights are granted to staff simply to reduce the support workload. Staff with ‘administrator’ rights to their computer system can install and upgrade software themselves, and as this is required on a regular basis it’s just easier to let them do it themselves.

But, it’s also wrong, and dangerous. Consider a simple example.

If staff are granted administrator rights to their computer systems they will be able to install new programs and updates. Viruses, spyware and other malware are programs, and staff with administrator rights will be able to freely (and unknowingly) allow unwanted software to access their computer systems, and potentially your entire network, at any time.

The spread of malware relies on users having excessive rights to their systems, and if you want to properly manage your risk of being affected by malware you cannot grant staff administrator rights to their own computer systems, or in fact to any system connected to your business network.

There are many other issues and risks involved with granting administrator access to staff, including:

  • Allowing personal or non-work applications to be installed (e.g. iTunes, Spotify, peer-to-peer file sharing programs);
  • Lost productivity when staff accidentally create problems with their work software;
  • Lost productivity when system performance is reduced by unauthorised software;
  • Facilitation of fraud or theft of information;
  • Exposure of the business to use of unlicensed software:

Despite all of these fairly obvious risks we continue to find customers whose staff all have administrator access to their systems, which really is a shame because avoiding the problem is easy.

A good configuration will grant all users of the system only with the access rights and privileges that are needed and authorised by the owner of the system (ie the business). To make it easier for our customers we apply a proven structure where users of the system are assigned with a specific and minimal set of rights that are appropriate almost all of the time, and we then manage any exceptional cases that may arise. In some cases a staff member may act as a quasi-administrator and will require additional rights to be effective, and in other cases there may be an in-house I.T. team who require full administrator rights to the system, but by starting from the position of assigning only minimal access we reduce risks to the business and help to ensure that system access is properly controlled.

If your suspect that your staff may have administrator rights to their systems, or if you just want to check that your access rights are appropriate for your business, we encourage you to call us today on 1300 138 761 or simply click HERE and we will be happy to try to help.

Subscribe to Our Newsletter

Sign up to receive all the latest news updates straight into your inbox.