The "3 Bears" of Privilege Identity Management
At some point in your life you have heard the story of Goldilocks and the Three Bears and learned the perils of extremism: too hot, too cold, just right. It turns out that corporations today still haven't learned Goldilocks' lesson and are saddling corporate users with the extremes of administrative/root privileges ("over privileged") or standard user/guest privileges ("under privileged) instead of brokering privileges based on role and corporate policy ("least privilege") to facilitate everyone doing their job without the fear of "misuse of privilege".
Applying the principle of least privilege across the enterprise is not a difficult undertaking. It starts with an understanding that any user with admin rights (Administrator or Protected Administrator) to their Windows Desktop or Root access to Unix,Linux or virtualized servers has effectively omnipotent privileges to do whatever they want, whenever they want to do it. Users who are setup as Standard User or Guest effectively have limited authority and often need to engage the help desk or a manager to type in the admin password for simple functions like adding a printer, changing the system clock time to accomodate business travel, updating a version of an application or downloading an ActiveX control from a favorite website.
Many personal productivity and legacy applications have also been wriiten with admin rights expected resulting in the dreaded "AppCompat" problem. Once you've identified who is "over privileged" and who is "under privileged", it is a simply a matter of establishing the appropriate "least privilege" environment. Check out Microsoft MVP Darren Mar-Elia's latest whitepaper on this subject entitled "From Least Privilege to Best Privilege on Your Windows Desktops".
