A Policy Change: Admin Rights

This year we’ve made a number of policy changes to how Lineal protects your technology, data and users – part of a programme of adjustments designed to help our clients keep their organisations secure.

One of these is a change to how we manage security permissions. In future, we’ll be stricter about how and when we allow administrator (‘admin’) privileges to be used.

 

What does this mean?

Put simply, we expect no end-user to use an administrator account for their routine work.

Where a user needs administration privileges as part of their official role, we expect a separate admin account to be created for this function, with some extra protections put in place.

All admin accounts should be named to indicate the owner, assigned to only one individual, authorised by management, and protected by Multi-Factor Authentication, where available.

 

Why are Lineal taking this step?

Admin accounts carry enhanced powers – often to install applications, access raw data or bypass safeguards – each of which represents a more significant cyber security threat where an admin account is misused or compromised.

In the event of a cyber security breach, it’s not uncommon for attackers to leverage admin accounts to attack other systems or users laterally, using heightened account privileges.

Reducing the number of administrator accounts, their use, and the risk of an account breach, all help to maintain strong cyber security within your organisation.

We’re also acting in line with the current requirements of the UK NCSC’s Cyber Essentials Scheme, as well as ISO 27001, CIS benchmarks and NIST 800-60.

 

Does my organisation need to budget for this?

No – this change will be a guiding principle for the assignment of existing/new admin privileges.

 

My organisation is subject to a compliance standard / framework, what do I do?

If you’re already subject to any specific controls over the distribution of administrator privileges, please contact us to discuss further, and we’ll do our best to explain how these changes support or enhance your existing controls.

 

What if I don’t want to do this, because of _________?

Where a client still allows a user to have local or domain administrative rights for standard duties, we’ll now require you to declare this to us in writing – as part of a disclaimer accepting liability for any adverse consequences of this decision.

We’ll also make clear that any remedial works required by us following an incident caused by this decision will be chargeable.

 

Who can I speak to about this?

Please contact our IT Support Teams via our Client Portal, via [email protected] or, 01271 375999, and one of our team will be happy to assist.

Here at Lineal we’ve generally been impressed with the release of OS X El Capitan – but the release of Apple’s latest operating system has not come entirely without pitfalls.

Some of our own staff experienced printing problems for the Mac version of Microsoft Office 2016 – these have fortunately already been rectified in update version 10.11.1 by a humbly apologetic Apple.

One of the most notable surprises however was the outright removal of functionality that long-time Mac users have had from the earlier days of personal computing.

Apple’s Disk Utility app update has removed the ability to verify and repair disk permissions on your Mac, leaving users with no way to verify incorrectly installed programs with the correct disk permissions to read/write to their hard drive.

At Lineal we’ve always advised users to verify and repair disk permissions after major updates, and even some Apple software regularly flags up as in need of verification.

Apple has made two sweeping generalisations: firstly, that Mac users only need to run software that immediately cooperates with their hardware (a big assumption) and secondly that users will be content to let Apple worry about the details of their computer maintenance.

Personal computing today feels a little less personal. Mac users have become used to the idea that Mac updates are very reliable, and worthwhile installing promptly – yet the sudden removal of longstanding features puts this in doubt for the first time.

Should we all trust manufacturers? A question for Volkswagen.

Lineal can offer Tech Support for a range of Apple devices: get in touch with us today via 01271 375999 or contact us online. 

Flickr: M Dreibelbis