10 steps to ensure users only access what they need
by Paul Kenyon - COO, Avecto - Friday, 10 August 2012.
Reason 6: Maximize investment in Active Directory

Most organisations will have Active Directory but few realise it can help achieve centralised management and allow a business policy driven architecture. If you’ve got it, why not use the facilities built into the product to enable a more efficient and productive IT system?

That said, there are limits of what you can do in terms of control and security so you might look towards complimenting AD with a third party least privilege solution. This will give more granular control, allowing admin rights to be easily removed without adversely impacting end users and ultimately productivity.

Reason 7: Regulatory compliance

Demonstrating compliance can prevent regulatory fines - and a least privilege approach is at its core. Many compliance codes state, either implicitly or explicitly, that users should have the minimum amount of privileges to complete every day tasks.

For example, PCI DSS (Payment Card Industry Data Security Standard) states that the organisation must ensure privileged user IDs are restricted to the least amount of privileges needed to perform their jobs.

Reason 8: Demonstrate due care

This goes hand in hand with reason 7 as a least privilege approach helps demonstrate to customers that you’re taking all reasonable steps to protect their information. Many organisations and public services have been publicly named and shamed for data breaches which damages reputations and erodes customer confidence. Of course, this also impacts on the profitability of the organization.

Reason 9: Improve network uptime

Many organisations fail to link lost productivity with admin privileges. By running a least privilege environment, you not only improve stability of the desktop but of the entire network. This is down to various security interdependencies - for example, if a machine is infected with a virus it could issue a DOS (denial of service) attack undetected by the user, with the resultant flood of traffic over the network causing routers and switches to grind to a halt, eventually bringing network services to their knees.

Reason 10: Reduce complexity

Systems are complex enough without users making additional unauthorised and un-catalogued changes.

Logically, organizations should take five steps to keep things simple:

1. A strategy to implement the right type of security

2. Remove admin privileges from the majority of users

3. Give users the flexibility to use the line of business software that they need

4. Identify any users that may need additional rights to install approved software

5. Keep things as simple as possible, to remain secure, but ultimately enable the business to move forwards.

Introducing a least privilege approach really comes down to a logical decision – do you want the best of both worlds?


Most IT pros have seen potentially embarrassing information about their colleagues

More than three-quarters of IT professionals have seen and kept secret potentially embarrassing information about their colleagues, according to new research conducted by AlienVault.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Feb 10th