Because Windows applications often demand privileges when installing or updating quite basic applications and add-ons, the easiest if most extreme response is to either fully enable or completely block such privileges. Some incorrectly assume that only esoteric apps still ask for admin rights but this is far from the truth. Here are a few common examples that will ask for privilege elevation:

• Java
• Flash Installer/Updater
• Apple iTunes
• Google Chrome
• Firefox
• Adobe Acrobat Updater
• Skype
• Blackberry Desktop Manager
• Citrix GoToMeeting
• Cisco WebEx
• HP Universal Printer Driver
• VLC Media Player
• Adobe AIR.

To this should be added countless examples of legacy and bespoke applications. Blocking or enabling offers certainty but is counter-productive; enabling privileges allows dangerous applications to run at will while removing them stops legitimate and even necessary ones from running at all.

The common solution to this software checkmate that has been available since Windows Vista and Windows 7 is to allow privilege escalation on demand through User Account Control (UAC), but this too comes at a price; admins are bombarded with requests for passwords to elevate application privileges without the visibility to know whether a specific request is justified. Generation Y, meanwhile, is frustrated at even having to ask.

Windows 7

Migration to Windows 7 has turned out to be the important moment where organisations reassessed hardened assumptions about the way employees use and access applications and a growing number have concluded that the rational response is to invest in least privilege management. With this design, users can request application admin privileges on a case-by-case basis after authenticating themselves in a way that offers audited admin oversight.

The user is given the privileges he or she needs and can use applications on demand with the added benefit that admins are given some visibility into which new applications are finding their way on to the ‘required’ list of the workforce. These rights can be revoked when they are no longer needed, which could be as little as minutes later.

This model overcomes the unhelpful cultural barrier that can spring up between those whose job it is to administer software and employees who might be asking for unsanctioned but potentially beneficial applications admins haven’t even heard of.


There’s no simple answer to identifying which applications might be beneficial and which will turn out to be a productivity-sapping chore. It depends on the type of organisation and the specific set of workers. Where might red lines be drawn?

In the blocked group will sit obviously malign applications (i.e. malware) or illegal or inconvenient (e.g. bandwidth-consuming P2P or video), but in truth the overwhelming majority will be tagged rather unhelpfully as ‘grey’, their status unknown.

A good example of this is Skype, deemed appropriate for some users and organisations but not for others required to meet regulatory constraints that an encrypted channel into and out of the organisation clearly infringes. It just depends. With application and privilege management admins will at least have an overview of an application’s popularity inside an organisation the better to make an informed decision.

Opportunity not threat

From the point of view of traditional, centralised IT, BYOD and consumer software are inherently difficult to assimilate. Admins are instinctively wary and with good reason. In conventional IT, the users are the source of most problems starting with the misuse of software. But here’s an intriguing thought; far from being negative and risky, perhaps the way Generation Y adopts new applications could have long-term benefits if a way can be found to accommodate the behaviour.