Skip main navigation

Limiting User Rights

This video explains the importance of limiting users' rights on a network and the considerations needed to allocate access rights.
Limiting Users Rights. Now, when it comes to limiting a user’s rights on the network, it’s never really a fun decision to make. On one hand, if we make things too limited for users, and then we’re going to upset them and most likely impede their ability to actually do their actual job. On the other hand, if we make things too open, we also potentially leave our users and our network open to malicious hackers.
So a study by Varonis, 70% of all sensitive files were accessible to all employees. On average, every employee had access to 17 million files. So that’s a pretty scary statistic, especially when we start considering things like, well, if all employees had access to sensitive files, these some 17 million files, then if one of those employees who probably shouldn’t have access to it was a, say, malicious insider, they can potentially grab the information, use it for their own profit against the company. They could delete those files. Or they could quite simply unknowingly open an email that had a ransomware on it, and encrypt all these critical files. This is why limiting user rights are important.
But we do need to think this through. So some issues with if we limit too much, in the case shown previously, a ransomware attack, again, can encrypt your entire network file. An insider attack, malicious or otherwise, might accidentally or intentionally delete these important files. A user may be able to elevate their own user right permissions. A user might be able to create an admin account.
A user may install software that violates a company policy, legal requirements, or conflicts with other software. And a user may remove critical software that’s needed, or disable it, or otherwise hamper your network or the protections that you put in place. So again, whether the user intentionally is trying to harm the network or accidentally, it’s a little bit irrelevant. It’s the fact that they are able to do this and they may do this, that’s potentially going to cause a problem.
So this is why we need to protect our users and the network from outsider attacks and insider attacks by limiting their user rights.
So we need to come up with a plan when we begin limiting user rights. So perception - it’s irrelevant if a user doesn’t use certain network rights. The moment you take it away, many users are going to feel like they’re being targeted or they’re being unfairly restricted. Now, again, this comes down to perception. I used to have this. Now you took it away. Again, whether they ever used it, like if you take, say, remote access away, RDP, from a user, a user may have never used that in their life. But the moment that they’re told, well, we’re taking away remote desktop rights, well, hey, I might want to use that one day. Why did you take it away?
Again, that’s just a matter of perception. Determine what rights people need to do their jobs effectively. It’s far easier to set the user’s rights restricted to begin with and start ration it back rather than taking rights away later. If you need to start taking user rights away, you need to have a plan, when to do it, how you’re going to do it. And most importantly, you really need to have a communication out to your staff on why the change is occurring. Not telling users what’s going on, the reason why you’re doing it, if it’s not properly explained to them, again, that’s - they may feel targeted. They may feel that you’re being unfair to them.
And with admins, you may consider a secondary admin account. So the idea behind this is you have two different accounts for admins. One is for everyday use, yet you have access to your everyday stuff that you need to get access to. Your secondary account, which you only use when absolutely necessary, would have elevated privileges, such as making changes to the domain or other higher level access. Now, the idea behind this is, your everyday driver account will be more limited. So since you use that the most, the chances of that getting attacked and then exploited, it’s going to do less damage. Now, this may not work in certain situations. But it is a suggestion.
Now, in wrapping up, a user with too much rights are a potential risk in whether this is accidental or intentional. User rights should be restricted to as close to an as-need basis as possible. And oftentimes, it’s not possible to restrict user rights down to exactly what they just need due to various reasons. So having the approval of management once you figure out how much rights people are going to have is going to help, because at least if you had management’s approval and blessing, then it actually could become a part of the actual rule for the office. And then you have something to fall back on.
So this was about limiting user rights. In the next video, we’re going to be talking about application reduction and why you should slim it down. Thank you for watching. I’ll see you in the next video.

This video explains the importance of limiting users’ rights on a network and the considerations needed to allocate access rights.

You have already learned about the importance of educating network users on network threats, about ensuring employees know how to report possible threats, and about the considerations you need to make when balancing network security and network accessibility for users. In this video, you will learn more about what to consider when allocating users different rights on your network.

Over to you: Check your user rights on your work computer. If you also have a personal computer, note what the differences may be. Share your comments in the section below.

This article is from the free online

Advanced Cyber Security Training: Network Security

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education