When users, admins and applications go to war: poor privilege management damages productivity. But do organizations even know it is happening?

Author:Kenyon, Paul

When the power of administrators managing Windows application privileges crashes head-on into the needs of employees, the results are rarely pretty but, paradoxically, almost always hidden from sight.

It's not over-dramatic to describe the arena in which this to and fro plays out as a silent 'battlefield' that can be described using one of two scenarios.

The first is not as universal as in the past but there will still be many organizations, especially small enterprises, in which it will still hold sway; a standard user asks to access a local or network application that requires admin-level privileges (legacy applications often assume such permissions as an uncomplicated demand) and is given it without question.

With these privileges granted that user has just armed his or herself with a huge amount of power, both for good and ill, which looks uncomplicated until the user strays beyond his or her level of competence.

The potential for users to generate security problems by installing, removing or fiddling with applications as they please is now accepted as risky in ways that require far less explanation than would have been the case even half a decade ago. Nevertheless, while the world has moved on from the insecure mindset of old this has ended up creating a problem almost as significant as the one being solved; controlling risk by locking down applications, and shutting off privilege escalation completely using Windows 7 and Vista User Account Control (UAC).

Under this second scenario, networks don't grind to a halt--application privileges aren't required for all interactions-but there is now growing evidence that they slow down in ways that admins don't always see, or perhaps care to see. Network users are now interrupted with occasional UAC application dialogs for which they have no authorization, blocking their work and productivity to an extent that is difficult to estimate in terms of its harm to business.

The issue is surprisingly little discussed--employees are rarely asked for their views on using company networks and privilege escalation is pretty abstract for most workers--but privilege management vendor Avecto made an interesting start with a recent survey examining the usually mysterious effects of over-restricting and mismanaging privileges.

The questionnaire of 1,000 UK employees discovered a hidden toll on both employee and company alike, with almost one in five people believing they had missed a deadline at some point as a...

To continue reading