In today's time, providing users with unjustified administrator access on their work systems, could lead to significant business loss. A careless user may download a benign looking file and the next moment you may find yourself battling an organization wide ransomware attack. Here's a quick guide for small business owners on how to tame this dragon:

The Dragon: Administrator Access

• High privilege access to a system.

• A user with this access can:

  • Add or remove programs from a system

  • Enable, disable or change system settings and services

  • Create, delete or modify users

  • Read, Modify or delete files for any user on the system

  • Disable or bypass security controls

  • In short, CAN DO ANYTHING on a given system

When to give Admin access?

• When users are responsible for installing or uninstalling software from a system – Typically done by IT Support

• For troubleshooting, enabling, modifying or disabling system settings and services – Typically done by IT Support

• When a user needs to run certain software as administrator – must be provided on case by case basis

• User is traveling or need it during a conference – must be provided on case by case basis, after duly understanding the business requirement, for a limited time period

When not to give Admin access?

• To any user without any justified business requirement, this may include but not limited to:

  • Users having administrator access without the need of it

  • Users on shared machines

  • Users frequently attaching their machines to outside network (unless a justified business requirement is provided)

  • Users in senior management (unless a justified business requirement is provided)

  • Users responsible for sharing / transferring data (unless a justified business requirement is provided)

How to identify users with Admin access?

• On Microsoft Windows:

  • Open a command prompt and type the following command:

    • net localgroup administrators (works on Windows XP and above)

• On Apple MacOS:

  • Open the Apple menu

  • Select System Preferences

  • In the System Preferences window, click on the Accounts icon.

  • In the list of accounts on the left side of the Accounts window, locate your account

  • If the word Admin is immediately below an account name, then that user is an administrator on the workstation

• On Linux:

  • Open a terminal window and type the following command:

    • grep '^sudo:.*$' /etc/group | cut -d: -f4

Watch the video