Taking away those rights -- identifying all non-administrative users as standards computer users, required to log on, with parameters to what they can and, especially, can't do to and with their computer -- sharply cuts those exposures.
The point here is not just the decrease in exposure (although the elimination of 92% of Windows critical vulnerabilities that BeyondTrust sees as a consequence of limiting admin privileges is anything but small potatoes) and the security enhancement that results, it's the reminder of the need for a re-think of just what employees are and aren't allowed to do with company equipment, company networks and on company time.
The problem, as I see it, and as more than one small and midsize business has commented, is the confusion between privileges and right when it comes to employee computer use.
That confusion flows from half a dozen -- or half a hundred, or more -- factors, not least of which is the fact that the technologies used in business -- computers, software, the Internet -- are also consumer technologies. Employees are accustomed to surfing the Web, installing games and other programs (and, to be fair, productivity apps that they're partial to), social networking, IM, file sharing and etc. and etc. squared.
Taking away these privileges involves reminding employees that their business computer isn't their personal computer, and can no longer be treated as such.
Problem is -- and it's not a small one -- that personal uses of computers in the workplace has come to be seen as an entitlement, a fringe benefit, a perq of sorts.
Limiting admin rights to IT administrators and supervisors creates more work for them, of course, which is another issue in times of tightened budgets and resources.
It all comes back to the necessity of establishing and enforcing formal technology-use policies (BeyondTrust, course, would argue that such policies are best backed by privilege management software).
Without those policies in place, and enforced, the situation become... well, it becomes what the BeyondTrust research shows: an environment filled with unnecessary exposure of vulnerable systems to a threat environment that's actively looking for those very vulnerabilities.
The company will be hosting an admin rights elimination webinar on February 11; register here.