@Dashrender said in Re-evaluating Local Administrative User Rights:
@nadnerB said in Re-evaluating Local Administrative User Rights:
@Obsolesce said in Re-evaluating Local Administrative User Rights:
If it's about users doing something to work around company device management and security software, well then at that point it becomes a matter of company policy, management, and not an IT issue.
An ounce of prevention is better than a pound of cure.
Policies are only good if they followed, HR & management are only good if they have the balls to do something.
Chances are that a rogue actor won't care about policies or HR.
Right - but IT shouldn't be doing anything that HR and management aren't standing behind them on.
I know I hate this thinking/logic as much as most of the next IT pros, but if you really think about it, IT is an extension of the business - it really needs to allow/not allow only the things the business specifically cares about. Getting in the way of the rest just because "we know better" is not a reason to do it.
I have to remind myself of this on a near daily basis.
Example - we had users logging into Chrome on shared computers. This really bothered me because they never logged out before walking away. I rolled out a policy on those computers forcing them all into incognito mode, which prevented their ability to log in - of course it also changed the display to black and huge letters of incognito mode... I did inform all the users of the change, but still got push back.
Then one of the stake holders told me - remind me to tell you to not install a rollcage in my car - when I told him why the change was done. basically, he was telling me it wasn't my place to protect him because that was not an onus he or the other stakeholders put on me. He was right of course, and I instantly removed the incognito mode.
Always do what your boss wants, sure.
In my case, we've given our security requirements from further up the food chain, so our management don't have a choice in the matter.