by Greg Shields

We IT professionals are comfortable with our Administrator privileges. They’re the admin rights that give us complete power over our Windows domain. They give us the ability to manage our computer as well as the computers of our users. Without the godlike control that we wield as a function of our user account being in the Administrators or Domain Admins group, we simply wouldn’t be able to do our job.

There’s no question that we in IT need administrative privileges. However, the question constantly arises whether our users need them as well. Think about the actions on a system that require administrative privileges:

• Installing software, ActiveX controls, or device drivers
• Changing network settings or disabling/enabling network adapters
• Changing the system time
• Taking ownership or changing NTFS permissions on some files and folders
• Modifying files in %SystemRoot% or %ProgramFiles%
• Configuring the Windows Firewall
• Running Task Scheduler
• Defragging the disk
• Restoring backed-up system files

This list is by no means comprehensive. The actual list of every potential task in the Windows operating system (OS) that requires administrative privileges is likely very long. In fact, in researching this article, I wanted to find out for myself exactly what actions comprised that comprehensive list.

I quickly discovered that such a list—as released by Microsoft itself—likely does not explicitly exist. It is possible to construct such a list by researching individual actions independently. But no single, centralized clearinghouse for every possible action that requires administrative privileges appears to have ever been released by Microsoft.

Part of the problem is that, according to my source, there simply does not exist enough internal coordination between individual Microsoft product teams to create and manage this list over time. The project is simply too unwieldy.

Mind the Shield

Thankfully, this stunning realization on my part doesn’t necessarily mean that you can’t create such a list on your own. In fact, with the release of the Windows Vista and Windows 7 OSs, Microsoft’s internal coding standards have forced the exposure of a graphical mechanism to alert when administrative privileges will be required to accomplish an action. That graphical mechanism is the “shield” icon that you see attached to many common tasks.

Right-click any network adapter in Network Connections, and you’ll bring up its context menu. In that context menu, you’ll see that five of the available options include Microsoft’s shield icon next to its selection. Disabling, renaming, deleting, viewing properties, and bridging connections of adapters include this icon, and as such are actions that require administrative privileges.

In fact, in Windows Vista and Windows 7, you’ll see Microsoft’s shield throughout the OS. It appears within Control Panel items. It appears when viewing context menus. A tiny version of the shield even appears within the icon of certain installations when they’re viewed in Icon mode. All of these are visual indicators to a user that administrative privileges will be required to accomplish the action.

Yet knowing that elevated privileges are required is one thing. Actually having those privileges when you need them is quite another. Many IT organizations today find themselves forced to hand out administrator rights to regular users simply because those users require the rights in order to accomplish their jobs.

Unfortunately, as we all know, the problem in doing this is that users having administrator rights can be the number one source of malware infection and other system problems. According to a March 29th, 2010 press release from BeyondTrust, 90% of critical Windows 7 vulnerabilities reported at that time would have been better protected had users not been granted administrator rights in the first place (Source: http://www.beyondtrust.com/company/pr/2010/2010_03_29_Windows_7_Vulnerabilities_Mitigated_by_Eliminating_Admin_Rights.asp). The same holds for 100% of 2009′s Microsoft Office vulnerabilities as well as 94% of vulnerabilities associated with Internet Explorer. In short, eliminating administrator privileges is a smart thing for protecting your company.

Eliminating administrator privileges is so difficult because rooting out the use cases where they’re needed involves a lot of research, and not a little bit of guess-and-check. But it is possible to rein in your distributed administrator rights.

Your assistant in getting this done comes from a strange bedfellow, one that you’ve probably despised, railed against, complained about, and probably even turned off: User Account Control (UAC). If you’re using Windows Vista or Windows 7 today, you’re already familiar with UAC. Although by no means a perfect solution, you can tune it to make it a helpful ally in scaling back your distribution of administrator privileges. This series will give you some tips and tactics on how to do that.

About the Author

Greg Shields is an independent author, speaker, and IT consultant, as well as a Partner and Principal Technologist with Concentrated Technology. With 15 years in information technology, Greg has developed extensive experience in systems administration, engineering, and architecture specializing in Microsoft OS, remote application, systems management, and virtualization technologies. He is a Contributing Editor and columnist for TechNet Magazine and Redmond Magazine, and serves as the Series Editor for Realtime Publishers, the world’s leading provider of high-quality content for the IT market. Greg is a highly sought-after and top-ranked speaker for both live and recorded events, and is seen regularly at conferences like TechMentor Events, Microsoft Tech Ed, VMworld, and more. He is a multiple recipient of Microsoft “Most Valuable Professional” award.