With a name like Administrator, you'd think people who've received this level of privileges would be'well'administrators.

It makes me laugh sometimes how the realities of actually using IT's technologies don't often line up with what seems perfect on paper. Microsoft Windows' implementation of administrator privileges is exactly one of those depressingly humorous misalignments.

What's at fault? It's not always the operating system itself (although, as you'll learn, sometimes it is). Often, it's the developers who write applications for that operating system. When developers take shortcuts and write bad software, then you're the one that ultimately suffers.

Windows itself isn't immune either. For some unknown reason, Microsoft took a very coarse approach to privileges in its flagship OS, leaving out the granularity that today's IT environments are finding they need.

Administrator privileges are today an unfortunate necessity for almost every IT environment. Some applications or OS functions can't be accessed by the standard user. When that standard user needs access to accomplish the action that's prevented, the only option usually available is to add them to the local machine's Administrators group.

Doing so might solve the immediate problem, but it at the same time opens a Pandora's Box of problems down the line. With administrator privileges, users are free to do anything ' install software, add ActiveX controls, reconfigure settings, the list gets scarier. The very moment you hand them administrator privileges, you've automatically abdicated your control over that business asset.


Figure 1: Administrator vs Standard User

Story Time in Privilege Management

It is for this reason, among a range of others, why an entire ecosystem of Privilege Management solutions has sprung up in recent years. Bluntly put, the Windows operating system cannot eliminate the Administrator problem all by itself. It's not well-designed to do so. In fact, its architecture in many ways exacerbates the problem rather than attempting to solve it.

So arguably some kind of solution is needed. Let's think for a minute about what that solution might look like. For me, I find it best to do so via a series of stories. I'll bet these stories mirror exactly the problems you're having in your environment right now today.

Dave, the Lazy Developer. Walrus, the Lazy App.

Dave is a lazy developer for a medium-sized company. One day he's asked to write an application called Walrus. (Why name it 'Walrus', I dunno. Maybe he was still finishing his first cup of coffee that morning.) Walrus accomplishes some very smart things for Dave's company. It enables company employees to access customer data in a certain way that makes sales easier. Walrus is a classic example of your custom-grown application that quickly becomes 'the app everyone needs'.

Yet, being lazy, Dave wrote this application quickly and he took a few shortcuts. For Walrus to run, it requires access to protected system files. It needs to store data in protected areas of the registry, areas that Dave has access to ' because as a developer he, of course, is an administrator. The non-administrators, well, they're screwed.

Now, here's the rub. Dave's application becomes so important so fast that soon everyone needs access, and IT finds itself needing to elevate every user running Walrus to local administrator. Chaos ensues.

Problems like this happen all the time with custom applications. Perhaps the developers weren't necessary lazy, but uninformed about the fallout effects of their design decisions. In cases like these, a Privilege Management solution becomes absolutely necessary. Such a solution enables IT to elevate just the application, without needing to give the user the entirety of elevation's privileges.

If Dave can't fix Walrus, an extremely costly situation now that everyone uses the app, IT might end-run around Dave's laziness by implementing a Privilege Management solution. Application elevated. Problem solved.


Figure 2: 3 Things Needed for Assigning Permissions

ActiveX Controls: IE's Biggest Power. IE's Biggest Problem.

Ahhh, the ActiveX control, bane of Jane's existence. In IE's early days they were lauded as the solution for a highly-customizable browser experience. She can almost hear the marketing from a time long past: ActiveX controls will 'gave you control over your browser'. They will enable, 'a vast range of customizable experiences, extending the browser for more than just simple web browsing.'

Those are at least how Jane remembers the marketing statements, and she can't argue that they weren't true. ActiveX controls absolutely extend IE past its original capabilities. Without them, a vast array of activities commonly associated with the browser experience simply wouldn't be possible.

Yet, with all their power, ActiveX controls come with a dark side. They require installation, a need Jane has recently learned she must accomplish for a new web application. They also expose an enormous Windows vector for malware considering IE's deep hooks into the Windows architecture. So, she can't just globally enable 'Allow Installation of ActiveX Controls'. What Jane needs is a little granularity.

When it comes to desktop management, IE's ActiveX controls are a lot like applications. They require installation if they're to perform their services. They're at the same time quite different because that installation is deceptively easy to instantiate. Click the wrong link on the wrong website, and you'll find any number of ActiveX controls slipping their way into your system.

The management architecture surrounding ActiveX controls is also not well implemented in Windows. Some control is possible, but managing IE's ActiveX settings generally requires a binary, on-versus-off, approach. That won't fly for the business who needs some ActiveX for some applications, but not the vast majority of everything else.

The central theme behind any Privilege Management solution is granularity, shattering a wide array of on-versus-off decisions into every possible shade of grey. With a well-designed Privilege Management solution in place, it becomes possible to easily identify which ActiveX controls are allowed to run, which controls users are allowed to install, and which will never be on your network at all. Another problem solved.

Exerting your Control over a Very Bad Windows

John's proud of his growing IT experience, but that expansion of his knowledge also stymies him on some days. Some days, more IT knowledge just adds more questions that remain unanswered.

It's Windows itself that has him scratching his head most days. He can't help but wonder 'what were they thinking' some days as he stares down a Windows control that's locked away from users who need it. Other times he needs to open access to a different Windows control for just a few users ' without giving them more than they need, and without giving access to everyone.

'Bad Windows,' John thinks with exasperation, 'Very bad Windows.'

A Very Bad Windows is one where the scope of privileges your users require ' changing system time, adjusting network settings, installing some (but not all) applications ' isn't perfectly matched with those you can give them.

Take adding local printers, for example. For some reason, adding a network printer is a task even the lowliest standard user can accomplish. On the other hand, need to add a local printer and you're looking at elevation straight to administrator, or a complex dance of Group Policies, security settings, and device class GUIDs that few understand and fewer still have the time.

Changing the computer's time, running application installers, adjusting network settings, the Very Bad Windows possesses a respectably large set of actions that are locked out to everyone but Administrator. Handing out those privileges too often requires handing out Administrator, and that's the very worst thing one could do when desktops and laptops might end up anywhere.

A Privilege Management solution is like a jigsaw, slicing and dicing the Very Bad Windows into its disparate components and associated privileges. You'll still have the complete picture, but the actions inside are now fractured into their constituent parts. With those parts, one need no longer assign 'Administrator versus non-Administrator'. Instead, one can assign discrete control over every Windows control and every Windows action. Problem solved with prejudice, Bad Windows.


Figure 3: Critical Actions Needing Administrator

'So, it's a Solution I'Need?'

Pretty much. Windows doesn't accomplish this Privilege Management nirvana very well on its own. Doing so with the Windows native tools requires a hodgepodge of hacks, Group Policy settings, privilege adjustments, and no small amount of research into tracking down the details of each. For the overworked Jack-of-all-Trades IT professional, who can rarely find the time to research each in-depth, a Privilege Management solution is a perfect fit for solving IT's biggest permission problems.

Recognize also that a freshly-installed Privilege Management solution all by itself nets you'an empty framework. While such a solution will greatly ease the process of bringing control to your IT assets, getting there requires a bit of up-front work. That work includes figuring out what privileges your users actually need, in comparison with the ones they have.

That's why a further necessity is identifying the specific instances of privilege application that solve your unique problems. Tracking down those instances can be a challenge all to itself if you're working in a vacuum. Avoid that vacuum by seeking solutions that bring together the IT community at large, giving you the opportunity to learn the tricks of others while sharing those you've learned.

Privilege Management might not solve every IT problem, but it sure comes close. Just getting rid of the widespread distribution of Administrator rights is satisfaction enough that you're smartly protecting your network from its biggest attack vector: Its users.