Virtualization Pro Tips Blog

Off-Topic: The Challenge of Eliminating Administrator Rights when the User Owns their Computer

Another off-topic post for today, this time on the ever-present problem of successfully eliminating administrator rights.  If you’ve been around IT for any period of time, you know that administrator rights represent one of our biggest security challenges.  Microsoft Windows, for all its greatness, gives us what amounts to an on/off switch for assigning rights to most people:  Either they’re Administrator, or they aren’t.

Problem is that the real world knows that on versus off mentality just won’t fly any more.  Its for that reason why I was recently asked to present a webinar (which you can view on-demand here) on exactly these challenges.

There were some unfortunate technical difficulties that precluded my helping out with the post-event Q&A.  That that I’m greatly disappointed, because one of the people watching asked this intriguing question:

How do you justify to "professionals" (e.g., lawyers, doctors, faculty) the removal of control of "their own" computers?

The person who asked this question nailed privilege management’s “people” problem right on its head.  Namely, that all people are reticent to give away rights when they feel a sense of ownership.  If a user’s computer belongs to the company and not them, they’ll argue less when you pull their privileges.  At the very least, they’ve got no leg to stand on when you do.

But when that computer is actually owned by its user, pulling their privileges is a lot like taking someone’s car keys away.  They still own the car, but they can’t drive.

It is in exactly this situation where the art of privilege management enters one of its most challenging grey areas.  Challenging, because of the obvious ownership issues; grey area, because the good of the public is arguably better served by inconveniencing the good of the individual.

There are no technical answers for eliminating administrator rights in this situation.  There’s no script I can suggest you run or box you check in an interface.  But there are appeals to the greater good that can work.  Namely, the assertion that centralized control of computers automatically creates a more stable environment for all.  Note that I didn’t say “more secure” here.  Pulling those rights absolutely is more secure; however, in this case of ownership “security” holds less of a societal guilt trip than the realization that one person’s actions could impact the safety and stability of others.

In short, how do you make that justification when the user owns their computer?  Easy:  Guilt.  Or, more specifically, a passionate appeal to that notion of the greater good.  At the same time, we all know that everything in life is a give/get.  Thus, in doing so, you must also give that person the assurance that they’re going to get a better experience in the end out of the trade.  By taking their rights away, you’re promising that you’re also taking their problems away. 

Most rational people just want their computers to work.  If your assistance will make them work better in the long run, then the likelihood is high they’ll be OK with their new administrator-less reality.

Catch up with @ConcentratdGreg on Twitter!

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.