I presume the primary reason for preventing local users from having
admin rights on their desktops is to keep them from installing "evil"
software.
If this is so, then my question to the group is "how long does it take
a desktop user to get a legitimate piece of software installed on
their desktop?" In other words, I have to use software package "A" to
do my job. How long does it take for "A" to be installed on my
desktop? My informal straw poll respondents noted the time range to be
anywhere from 1 day to 2 weeks.This is completely shocking to me.
Now, if my boss is breathing down my neck to finish a project by
tomorrow & I need software "A" to finish the project, I can't wait 1-7
days. The business process will trump this security process and a) I
go up the mgt chain to get an exception b) I bring in my personal
computer, load software "A" on it and get the job done.
So, I wonder why there has never been a survey with the question "How
long does it take to install a software package on a user desktop if
you restrict local admin rights?". This is the root cause of the
"never ending battle" that I keep hearing about. If you make the user
responsible for whatever they load on their machine AND enforce that,
then what is the danger of letting them do so? Well, people with no
local admin privs can still "infect" a machine by using their browser
so once again, what do we accomplish by "preventing" them from loading
software? Seems like nothing is accomplished, hence, the "never
ending" battle.
Call me silly, but I think there is an end to this battle but we don't
want to put in the effort to accomplish this. That end involves a)
enforcing user responsibility for their actions b) give them basic
training (you want to be able to install stuff, you have to sit in
this training) c) speed up legit software install requests.
I keep hearing about this losing battle with the users so why not
think of something radically different?
Just a thought for the holidays....