A security firm recently reported that computers have seen a 52 percent increase in the number of reported vulnerabilities in OS and other software. Most of these vulnerabilities can be mitigated simply by removing access to Windows administrator rights. Blocking admin rights on machines prevent malicious software from infecting a machine. Another study has shown that over 90% of all vulnerabilities could have been prevented if the user did not have administrative rights.
We realize that these limitations can have business implications. For instance, a traveling CSUN employee may need to print something but can't load a printer driver. Or someone joining an online meeting might need to download an applet.
CSUN's policy is to restrict access to administrative rights for any employee with access to Level 1 data. In addition we strongly recommend that all other employees not run their computer with administrative rights. Even if a user does not have access to confidential data, with administrative rights a potential exploit of their machine can impact other machines on the CSUN campus network.
The following mitigations can reduce the potential loss of productivity:
- Tools that can temporarily grant access to administrative rights. Please consult your local tech for information.
- Standardized builds across departments. It is far more efficient and secure to have standard builds instead of custom builds for each end user.
- There are tools that can remotely install software. Please consult your local tech for more information.
- A CSUN employee may be granted a second ID to their machine which does grant them the right to install software. This ID should be used only to install software or configure their machine. The employee must not run applications with this userid. This needs permission from the supervisor and then the VP or Dean.