Totally agree. I run a departmental IT in an organization that has no IT policy whatsoever.

We have some 500 employees in 18 countries and thousands of partners.
I hear "I want a pretty wallpaper!" and the head of Org IT dept comes and fixes permissions on an XP Pro and gives users Admin rights!.

Then of course you have a spam issue and worse, email-harvesting trojans. I don't want to go there.

End user is the weakest link in enterprise security.

+1

Widespread admin rights are one of the biggest issues in any organization. For a long time we had an application in use (inventory and sales tracking software) which stored writable files in a subfolder of \System32 of all freaking places!

Now that the software in question is changed, we no longer need admin rights for local users on workstations - but taking them away is proving diplomatically difficult. We're trying to setup a limited power user scenario, but implementation is a long long long time away.

As a manager of systems and networks for businesses in the financial services industries, I am horrified that many of these applications REQUIRE administrative privileges to run. My customers are regulated by SOX, NASD, and SEC agencies, but the applications provided by Bear Stearns, Bloomberg, IBT and others require administrative privileges, and often require that things like Java be held back from the latest version.

The applications are what force administrators and users to choose a platform (Windows), and if those applications are designed in an insecure manner, they are creating a forced environment where the user is literally 1 click away from blowing everything up. Administrators are caught between a rock and a hard place and are constantly worrying about the next potential problem.

-dave

I agree with the 3 prior commentors especially
Big Dave: FORCING use of Windows and FORCING installation and operation only with administrative rights is the BIG,BIG,BIG WINDOWS
snafoe. I know on my personel computer admin.
rights are required for the majority of apps; even some screen savers!

I am considering using BDS and run WINDOWS under
it for better security (hopefully).

Actually, I have a question instead of a commment. Aren't companies creating images which lock down user rights?

Companies that have 'locked down' images are the lucky ones. What I have seen are some vendor specific services are made available to the customer via things like Citrix sessions (which is more akin to dumb terminals). This gives the customer (my user) the ability to do only specific things for that individual service.

My users have to use a wide and dynamic variety of applications which are constantly being changed with a frequency and lack of documentation such that the administrator can not adequately lock down user accounts without risk of disabling a necessary application. My attempts to avoid certain vulnerabilities (like using Firefox instead of IE) are often unsuccessful because these application/service vendors choose to create IE only offerings. The list goes on and on. The common use of Outlook creates another huge set of vulnerabilities. I am unwillingly coerced to support insecure practices because of the business culture demanding to be like everyone else. It is an untenable and unwinable situation.

Hopefully things like Virtualization, Terminalization (Citrix, Terminal Services, SAAS) will reduce the reliance on insecure systems (Windows w/admin rights), and possibly free administrators from the Windows ecosystem entirely (even if a little at a time).

-Big Dave