Damn You Admin Rights!

Centero’s guru Janne Tjäder casts a few curses on admin rights.
   

What is a closed environment? 

With a closed environment we mean a workstation environment where the end-users don’t have admin rights.  What this means for everyday life is that an end-user, with their own user ID, can’t perform any operations that require admin rights, such as installing an application or changing network settings. 

When the IT environment in question is large enough, this is actually appropriate: it’s important to maintain the workstation standardization level (meaning similarity between workstations) as high as possible, as it guarantees the workstations work as they should, and you need to tackle fewer problems. 

However, a closed environment has its own challenges.  How to resolve a situation, where a person is on a business trip and they need an application installed on their device, or want to connect to a customer’s network?  How do you deal with the situation, if the user’s own ID’s access level isn’t high enough?  Typically, the user is given the device’s local admin ID’s password, but when the password is out there, can you call it a closed environment anymore? Not really. 

It’s common knowledge that the biggest threat to a company’s cyber security are its employees and their carelessness. 

Unfortunately, this applies also to the use of admin ID’s, meaning that the level of standardization is not the only one taking a hit: the level of cyber security suffers also, almost without exceptions – even though this time it’s not only due to the users’ carelessness, but also because of technical reasons. Many viruses and malware use the admin level ID’s, and they can really sink their teeth into the system when the workstation is used with admin rights. 

Perform admin-level operations where ever, whenever – without the admin rights  

Carillon_blogi_kuva2For the problem described, we have developed a thorough, specific tool called Centero Carillon.  Let’s start off with an example. Our example company, Centerock Oy, has started using Carillon and created a closed environment with it. So, the users don’t have admin-level rights on their own devices.  When a user is on a business trip and starts to install a printer, the operating system prompts a notification on insufficient rights (picture on the left). As you can see from the picture, Windows 7’s User Account Control (UAC) window also has Centero Carillon as an option when entering the admin’s ID information. 

Carillon_blogi_kuva1

Here the user calls their organization’s IT support and tells them they are trying to install a printer, but their rights are not sufficient for the operation. The IT support creates the necessary activation code and passes it on to the user, who then enters the code to the Centero Carillon field (picture on the left) and clicks “Yes”. This starts the installation, and it works like a charm (picture below on the left). 

 

 

Carillon_blogi_kuva3And as you can see, the user didn’t get the password for an admin-level ID (or even the name of such an ID). All they had to do is enter a code that is valid for one operation (or if needed, for an extended time period). The person who creates the activation code (usually the IT support) also determines its validity period. You do not need internet connection to use the code, meaning the code works even if the workstation has no internet access.

 

What was so great about what just took place here? 

The user was able to install the printer without a hassle, even though they didn’t have admin-level access rights on their own user ID 

The user didn’t get access to an admin-level ID or password, just a one-time activation code 

When the IT support created the activation code, they added a log on what the code was given for and for how long. 

This means there is a trace of all transactions in the database, and you can later monitor how many temporary admin rights have been given out and for what reasons. 

A sophisticated user could, of course, request temporary admin rights and then try to add their ID to the group that grants users permanent admin rights.  However, Centero Carillon allows you to control who can or has to have permanent admin rights. If a user’s ID isn’t compatible with the configurations it will be removed from the group within a minute. 

Carillon_blogi_kuva4In this example the operating system requested ID information when trying to install a printer, as the user’s ID didn’t have sufficient rights.  Carillon also adds new options to the operating system’s log in menu, meaning if you need to, you can use the activation code to log into a workstation (see picture). 

 

 

More information on Centero Carillon 

With Centero Carillon, it’s fast and easy to create a closed environment where the end-users can request temporary admin rights.  You can also use the same product to manage local groups, ID’s, and passwords, and on top of that, Carillon’s reporting features are excellent. 

>> Read more about Centero Carillon