In the ever tightening security procedures and practices, for some departments it has become standard operating procedure to not only require the primary workstation user account to be a limited logon ID ( as opposed to an administrator ID) but also the primary workstation user not even have any knowledge of the password for the administrator ID.
For some departments where IT support staff are limited (in time/personnel), an alternative that has been accepted by the auditors is to configure the workstation with two logon IDs (a limited and an administrator ID). With the passwords of both accounts being known to the primary workstation user. The limited ID is used for daily use and the administrator ID is used for software updates and installations.
Below are the guidelines that should be considered the minimum required for users who have knowledge of both the limited ID and administrator ID passwords. Please make sure the individuals that fall into that category are provided the information.
I also suggest you keep some record of which customers fall into the category of having access to both IDs and that they have been provided the content below. Please let me know if you have questions regarding this practice.
When to use the standard limited logon ID
All normal daily use including the following:
- Reading e-mail
- Web browser use
- Use of Adobe or Office products
When to use the Administrator ID
- Installation of software
- Updates of Windows operating systems
At least once per month around the second Wednesday, login to the administrator ID and ensure the latest Microsoft patches have been downloaded and are ready to be applied. Install the updates and reboot the workstation.
Updates or patches associated with non-Microsoft products. Patches are released at various times for the following products:
- Adobe-Flash and Adobe Reader
Responsibilities associated with providing administrator logon ID access.
All workstation users that have the ability to login as an administrator should understand the following responsibilities.
- Use administrator ID only when warranted
- Patch operating systems and applications as updates are released/issued.
- Only install software licensed to your department or for your specific workstation
If for some reason the customer is unable to accept the responsibility and comply accordingly, please instruct them to inform the IT support staff.
Just to clarify, the objective of this is to make sure normal web use does not cause malware to be installed without the user being aware. As most current Microsoft Operating Systems will prompt the user for a password if they are not logged in as an administrator as opposed to them only being required to select ‘continue or cancel’, it will make the attempted installation of software much more obvious. Under those conditions, when an event occurs that does present a password prompt but it was not initiated by the workstation user, they should be instructed to select cancel.