Problem solve Get help with specific problems with your technologies, process and projects.

How can I persuade my boss from letting users have administrative access to their machines?

Does upper management not understand how fuzz is affecting your network? Use this expert response from network administration expert Lindi Horton to convince your boss that users should not have administrative access to their machines.

I have a real hard time trying to persuade my boss that users should not have administrative access to their machines. Talk about fuzz factor! Half of the hours are spent in ICQ, Skype, porn sites, matchmaking, tweaking, CD/DVD-copying, etc. Where can I obtain relevant information that I could cite as argument?

As is my favorite engineering answer: it depends. My best advice to you is to learn to speak to your manager as a manager would understand your point of view. For example, you give many technical reasons why users in your organization should not have administrative rights on their machines. However, to create a policy of that nature, you would want to quantify this reasoning in a way that your management team would understand.

First, log how many hours you (your team) spend working on correcting and troubleshooting individual PC problems. By logging the number of hours and incidents, you can first identify if there are recurring instances by a particular user. This user or set of users would be the first to implement a policy of restricted access. Second you can use this number as an indicator for how often you and your team are spent troubleshooting an issue. This time takes you away from other key strategic initiatives that the management teams wants you to focus your time on, e.g. new application rollouts, improving the network backbone, or upgrading servers. In my experience, this falls right in line with the classic 80/20 rule. Eighty percent of the problems are coming from 20% of the users. Perhaps the management team would be more amenable to implementing a policy for those 20% users without affecting the entire user population.

Second, one of your better arguments for enforcing some sort of security policy would be to argue productivity of the users. Non-business critical applications require resources, bandwidth, and are inefficient uses of people's work hours and time. The easiest way to quantify this is to provide metrics around bandwidth consumption for non business critical applications (NetFlow/IPFIX/SFLOW, etc.). Most security related events these days with regard to intellectual property stem from abuses of email and other internal systems. You can argue that productivity is lost for these users and design a strategy to limit their access to certain Web sites.

Of course I would be remiss if I did not warn you that implementing this policy could make you very unpopular in the eyes of your end users. Also be aware that enforcing these policing activities also requires your time and energy. For users with these policies in place, they will request special access to read or get some essential item for their work. They will also be forced to ask you to help them install software that will help them do their jobs. It is essential to understand administrative costs of these types of policies prior to implementing them.

This was last published in July 2007

Dig Deeper on Campus area network

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.