When my organization used Windows 95/98 systems, there wasn't a good solution for locking down the desktop. Because of that, we had all kinds of problems. Our users would things like:
- Download and install software they shouldn't (e.g., trial versions, products from home, unsupported tools, drivers).
- Get malware infections that spread from one machine to another.
- Uninstall or disable their antivirus software because they thought it slowed down the PC.
- Uninstall or disable their firewall.
- Modify security settings for Windows itself, making malware infection more likely.
- Bring devices and drivers in from home that crashed the company PC.
We made the decision when we switched to Windows NT 4.0 to lock down the desktop and not grant users administrator access. This implied a number of changes to things:
- Users would have to call us for things that they might have done for themselves in the past.
- We would have to install all software, updates, and drivers for the users.
- Some staff would need to be granted power user or administrator access due to job specific needs.
- Some staff would complain that they no longer had the freedom they had enjoyed with Windows 9x.
At the same time we implemented the lock-down, we also implemented remote control software to allow our help desk staff to actually see the customer's problem and help them without having to run to their offices. In the end, fewer than 10% of the staff could justify the need for administrator access for business reasons. A few of the remaining 90% complained about a loss of flexibility, but most were happy to be able to just call the help desk and get things fixed for them.
Some of the benefits we've accrued from the lockdown include:
- Fewer malware infections overall
- Because staff run from standard user accounts, malware is typically confined to a single user profile when it does infect a system, making cleanup easier
- Certain infections, like the Conficker worm that spread from one machine to another, barely registered on our radar. (I think maybe one or two systems got the infection, but it didn't spread.)
- Since users can't change security settings, systems retain their secure default configuration
- License compliance improved significantly, since users could not install "any old thing" anymore
- Although the number of help desk calls went up briefly as users adjusted to the situation, the locked-down configuration actually reduced help desk calls by eliminating some of the sources of past problems (such as users downloading the wrong drivers and installing them, or applying incompatible software updates)
- Support became easier, because you could assume (within reason) that every machine was configured to the corporate standard, used a consistent set of drivers, etc.
When I talk with colleagues at other companies, I'm often forced to shake my head in sympathy. They tell me how a user installed infected software off the web that corrupted the machine so badly it had to be reimaged. They talk about how a software audit left them in trouble because users installed things the company wasn't licensed for. They talk about hackers getting in because someone opened an infected attachment that gave the hackers administrator control over the box. They tell me about long nights spent cleaning up any number of problems. I don't have many stories to share with them, because we don't have those kinds of problems.
A locked down desktop isn't a panacea. You do still wind up with issues you have to deal with:
- Although Windows 7 prevents standard users from installing software into the Program Files directories and Windows itself, users can still install software into their own user profiles.
- Software that may require licensing, but is delivered in a zip file, can be used without installing it.
- Malware still gets in, and gets past antivirus - it's just (usually) easier to cleanup
- Some staff need applications that require administrator access, and you have to work around those, sometimes by adjusting file/registry permissions, sometimes by providing ways to launch the application with administrator permissions
- Some staff try to fight the lock-down by bringing in devices from home (e.g., Macs or personal laptops), and you have to be prepared to deal with this - especially if the devices are connected to the corporate LAN
- Despite corporate policies to the contrary, staff will still bring in USB devices with portable applications, portable hard drives, and other peripherals from home
- No matter how flexible you try to be and how much power you offer users short of administrator access, there will always be some staff who complain that they would be "much more productive" if they had administrator access. If they can demonstrate a true business case for it, our IT Security people will usually approve the request, so this is more a nuisance than a real problem.
If you are considering locking down your corporate desktops, here are some things you'll want to think about and do:
- Determine the process and criteria for justifying the need for administrator access. Under which conditions will you provide this access to your staff. Who will approve the requests? How will you create and name administrator accounts to distinguish them from standard accounts? How, and how often, will you review the accounts and the need for them?
- Consider disabling auto-update features in applications, as users may no longer be able to apply the updates. If they are unable to apply the updates, this can cause annoyance (from the constant alerts to update) and frustration (at the inability to apply the updates).
- Test all of your applications under a standard user account to ensure that they run properly. You may find that you need to adjust file, folder, or registry permissions to get them working. You might even have to install them outside the Program Files folders. Failure to properly test the software is something that could quickly kill your lock-down effort. (Sysinternals Process Monitor can be a big help identifying where permissions changes may be needed.)
- Test all of your standard peripherals and devices to ensure that they work properly. Few devices trigger a UAC prompt for administrator credentials, but they do exist.
- Establish a policy that administrator accounts should only be used as needed. Web browsing, reading email, and other mundane activities should be conducted from a standard user account to avoid system-wide infection. Decide how your organization will handle violations to this policy.
- Consider implementing application control and privilege management software, such as Arellia, Avecto, or Dell Privilege Manager. This products can prevent users from installing and using unauthorized software, and can also eliminate the need for many administrator accounts by automatically elevating sensitive applications to administrator (for users who have only standard accounts).
- For users who will be granted administrator accounts, how will you audit what those users do with the accounts?
- How will you implement the lockdown?
- Will you give users a standard account and an administrator account, then expire the administrator account after some period of time?
- Will you deploy the lockdown in conjunction with an operating system upgrade (e.g., Windows 7 to Windows 10)?
- Will you implement the lockdown gradually across the organization, or all at once?
- How will you notify the users about the lockdown?
- How will you identify and troubleshoot application problems resulting from the lockdown versus those occurring normally because of issues with the software?
You may identify other issues specific to your organization that you want to test or document before implementing a lockdown.