Really, is it any surprise to anyone here that if you give employees less rope it's harder for them to hang themselves? For employees that need admin so that they can install programs and modify settings you simply have a "Here is admin access but don't come to us if you break it" policy.
This article seems painfully obvious and doesn't belong on HN IMHO.
How is it simple to have a "don't come to us" policy? Who should they then come to? A hundred different people trying to fix a problem they don't really understand a hundred different ways is probably going to do more damage in the long run.
Well, an employee wrecking their PC might not be something that the IT department is required to handle, but if malware spreads across the company’s network of course the IT department needs to handle it.
Most sysadmins don't want to give users admin rights on their machines. But the problem occurs when there's software (especially software written for previous versions of Windows) that requires admin access to run. Management doesn't wanna hear it about "privilege separation" and "principle of least privilege." Bob in Accounting needs Quickbooks to work right now.
Then, there are the senior managers who know enough to know that they want admin access so they can do whatever, but not how to protect themselves. They're gonna call your boss, who's gonna tell you to give them admin access. And WHEN something goes wrong, guess who gets the blame?
The exploits today are written for admin-rights account, because most people use that. But I'm sure there are plenty of non-admin->admin holes too. If running as non admin became wide spread the exploits would just need to add an additional step to become admin after they exploited the non admin user. Thus would be a short term improvement at best.
Really, is it any surprise to anyone here that if you give employees less rope it's harder for them to hang themselves? For employees that need admin so that they can install programs and modify settings you simply have a "Here is admin access but don't come to us if you break it" policy.
This article seems painfully obvious and doesn't belong on HN IMHO.