User Least Privilege...A Simple Solution to Protect Your Data

Posted: February 27, 2013

In the past, computers set up for use in the College were configured so that the primary users were machine administrators. As administrators, users could install their own programs and make system-wide changes. Unfortunately, the increased threat of computers becoming compromised by malware (malicious software), has required us to make changes to the way users operate their computers and necessitated the implementation of a User Least Privilege model.

In today's computing environment, it is incredibly easy to come into contact with malware (malicious software). Visiting websites, even sites that users think are safe, can result in unintentionally downloading malware. If a user unintentionally downloads malware, Ag IT is required to remove the computer from the network, take it and scan it for personally identifiable information (PII). If PII is found, there are costs associated with informing owners that their information may have been compromised. Even if no personal information is found, users lose access to their computer for a period of time.

To protect our users and their data, as well as our networks, Ag IT has needed to identify strategies for reducing the potential risk of malware threats. Anti-virus programs and firewalls can do a lot, but are not enough. The simplest solution, providing the most protection for users, is a model called User Least Privilege.

So what is User Least Privilege? It means giving a computer user account only those privileges or “rights” on a computer which are essential to that user's work.

Ag IT, in accordance with PSU's AD20 policy (section f under System administrators), now operates under a User Least Privilege model. On computers that we rebuild or set up, primary users are no longer configured as administrators. The accounts used to log into computers on a daily basis do not allow for the installation or update of software programs or other system changes. However, users can still perform everyday tasks such as checking email, working with Microsoft Office or collaborating with colleagues via Adobe Connect. While this new model of operation limits the ability for users to legitimately install and update programs and make system changes (Ag IT can still install and update programs on behalf of users), it also limits the ability for malware to inadvertently become installed.

For users with unique needs, requiring administrative access to their computers, Ag IT can and does make accommodations. Upon request, users can be given a second account with administrative rights. This administrator account is only used when software needs installed or updated or when system changes are required. 

Ag IT is confident that implementation of the User Least Privilege model is an effective way to minimize risks associated with malware attacks.

If you would like to learn more about User Least Privilege mode or administrative rights on your computer, please feel free to contact the Ag IT Helpdesk and we would be happy to answer any questions you have.