Least Privilege and the risks of admin rights explained
At REMC1 we recommend that our clients follow a policy of "Least Privilege" (not logging in with admin rights) when granting rights to users. The principle is simple, and the impact of applying it correctly greatly increases your security and reduces your risk. The principle states that all users should log on with a user account that has the absolute minimum permissions necessary to complete the current task and nothing more. Doing so provides protection against malicious code that often will often automatically run without user intervention when a website is visited. It also prevents malicious programs masquerading as legitimate software from accidentally being installed amongst many other attacks.
To explain further: Operating under a normal user account without admin credentials blocks 94% of Microsoft vulnerabilities. Malware and vulnerabilities are so clever that even tech savvy users can click on them. Antivirus is important but many recent studies find it effective in stopping only 30% of infections due to the ever changing malware variants. Caution is always appropriate but there is almost no way to avoid infection entirely especially when websites can get infected and load malware on your PC without any user interaction at all. The organizations that REMC1 supports which adhere to the industry standard best practice known as “least privileged access” have nearly eliminated their infection rate. Infections will spread through network shares to all PCs as well as destroying the infected PC so this is an important item to consider. When you factor in ransomware, the risks are losing all of an organization’s data requiring a complete full restore to be done on multiple network servers. This will cause the loss of all work for the whole organization performed since the last backup. Restoring all data and fixing network services would likely take multiple days causing further disruption.
REMC1 Staff will do all we can to minimize impact
REMC1 will do all we can to help minimize the impact of member organizations who choose to adhere to the best practice least privilege model. Here are some items to keep in mind: Most applications and services are now online and in the cloud requiring no applications to be installed locally (Webmail, Google docs, Student Information Systems such as Powerschool and Skyward). Most other applications used are installed by default when the machines are deployed (Microsoft Office, Printers, Tools used in computer labs). REMC1 can push out almost any application from our Computer and software management system (KACE) or if needed remote into any PC and install software (rare).
Citations: Antivirus isn't enough: https://www.tripwire.com/state-of-security/latest-security-news/70-of-malware-infections-go-undetected-by-antivirus-software-study-says/
94% of Microsoft Vulnerabilities are blocked by turning off admin rights: https://www.computerworld.com/article/3173246/security/94-of-microsoft-vulnerabilities-can-be-easily-mitigated.html
Least Privilege (not using admin permissions) explained in detail: https://www.beyondtrust.com/blog/what-is-least-privilege/