Part of our role as a trusted technology advisor is to look at the issues our clients are experiencing, identify common themes and trends, and create comprehensive approaches for dealing with these issues across our client base.

One of the more disruptive and time consuming issues we’ve identified over the past few months is spyware infections. The most effective strategy that we’ve found to combat this across is to ensure that users aren’t using an account with administrative privileges on their local workstations for day-to-day-work. Yet this poses its own challenges, given the need for users to perform legitimate tasks from time-to-time that might require administrative rights, such as installing a basic application or printer drivers.

Sure, there are the hard-liners that will lock down a network like Fort Knox, but we find that these stiff strategies aren’t practical or realistic when it comes to managing IT for small and midsized companies.

So, since we’re not a draconian IT company – and because we always endeavor to strike a balance between security and usability – we’ve designed a system that consists of two parts:

1. The creation of a specialized desktop administration account that can be used when administrative privileges are needed to perform a specific task on a workstation, such as installing an application or printer.
2. The removal of users from the local workstation’s administrators group.

The idea is that the username and password for the specialized account is kept by the company’s primary IT contact and shared with employees on an as-needed basis. This way, employees who are surfing the web and accidentally click on a link or launch an application that would otherwise result in an infection are effectively immune (since they don’t have the required level of permissions to install the nefarious application) but have access to a the specialized account for those tasks requiring administrative privileges.

We also lock down the specialized account so that it doesn’t have access to company data, to further discourage users from using this account for day-to-day work.

So far, this approach has worked quite well and does a good job balancing usability with security.

Posted by Brad Benner in Technical on 5 March 2009. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.