Application Adminstrator Rights Analysis
One of the first challenges an organization faces when deciding to remove end-user administrator rights is determining what applications require such rights. Many times the approach is to remove administrator rights, see who complains and add those users back to the administrators group. Over time, large chunks of an organization still have administrator rights due to applications that are not compatible when run as a standard user. Let’s look at how this can be addressed.
There are four application types that typically require administrator rights:
- System Utilities: Some of these utilities make sense to restrict from standard users including computer management, turning Windows features on or off, or allowing remote access. Others such as the Disk Defragmenter, changing the system time, or adding language packs may be appropriate
- Installers: Most installers will not run by a standard user. There are some installer exceptions that will still install to the users directory such as browsers (as noted in Application Control and Web Browsers), but anything that adds files or folders to the Program Files or Windows directories will not work.
- Self-Updating Applications: Financial applications are a good example as they need to update their files for tax codes and or changes to the program for new logic. If these application’s files are located in Program Files or Windows, they will require administrator rights.
- Legacy Applications: Many older applications are coded to be run by a local administrator account and will not work otherwise. These may be third party or internally developed applications.
Having this information is helpful, but identifying applications, particularly self-updating or legacy applications can require time consuming testing.
Arellia Application Control Solution identifies applications that require administrator rights enabling an organization to create policies granting rights to the application (not user) in preparation for removing administrator rights. With those policies in place, applications will work normally to a user and eliminate a nasty call to the helpdesk and\or adding that user back to the local Administrators group.
About Arellia: Arellia provides solutions for privilege management, application whitelisting, securing local administrator accounts, and compliance remediation. Arellia products are integrated with the Symantec Management Platform and sold through Symantec.