This post was originally written for the Canadian IT Pro Connection blog, and can be seen there at http://blogs.technet.com/b/canitpro/archive/2012/09/13/the-shoemaker-is-no-longer-barefoot.aspx.
For years I have been espousing the need to and value of locking down client workstations in a corporate environment. Part of the SWMI Story – the secure, well-managed IT infrastructure for which I named my company – is that every user in the organization should have the rights and permissions to do their job… and nothing more.
Most corporate users are issued a computer that they use in the office (and at home or on the road) that are domain-joined, and because of all of the security threats out there the SWMI Story is very clear that they should be locked down. If they want a computer to surf websites that are not business-related, play games, watch movies or anything else then they should invest in a home computer (or laptop). I know that it is not fun to travel with multiple laptops (better than most!) but the bottom line is that unsecure client workstations are a stepping stone on the path to compromised server infrastructures… and that is bad news for everyone but the hackers.
One of the reasons that client machines have to be locked down is because most people do not think about IT security during the course of regular computer use. Because I am always thinking about security, coupled with the fact that if something goes wrong I am pretty good at fixing it, I have been quite lax with my own laptops over the years. After all, I own them and the servers; I built and maintain the infrastructure, and of course I am in charge of IT security. So for the last few years, as I have been advocating otherwise, I have been logging on as the Domain Administrator on every laptop I have carried.
Last week I joined Microsoft Canada’s DPE Team as a Virtual Technical Evangelist. Although it wasn’t actually a requirement, there were real advantages to reimaging my primary laptop (an HP EliteBook 2740p) with the Microsoft corporate image. I was all happy once it was done… until I went to perform a simple operation and got a UAC window asking me for administrative credentials. I entered my corporate credentials… and had a sinking feeling in my stomach when it came back with a DENIED message.
Fortunately the internal image allows you to install Windows with a local Administrator account; I was able to add my corporate account to the Local Administrators group so I don’t have to keep going into that account to make changes.
For the first time in many years I am not an exception to the rule… and rather than trying to find a way around it, I accept that while I need to be a local administrator, there is no way that anyone is going to make me a domain admin. However this means that I am exactly in line with the statement I made in the opening paragraph… I have the permissions to do my job, and nothing else. In order to do my job I need to be a local administrator… and nothing more!