SENS Best Practices for Windows User Accounts

SENS recommends Power User rights for accounts on Windows workstations. Many instances of malware/viruses (and these can even come from legitimate sites and sources) do much greater damage to the operating system and other data files when a user is logged onto the system as an Administrator. We have taken this approach by default as it is also common in many other institutions and it is considered a best practice.

We understand that a user needs Administrator privileges to install software. We are not preventing users from installing software as we can elevate user rights to Administrator at any point when he or she needs it to install software. If the request for Administrator access comes from a student, we will direct the user to his/her advisor for approval.  

Elevating user rights to Administrator and reducing back down to Power User only takes a minute, and we can usually make the change within a few hours of receiving a SENShelp ticket. We have found that users are not adding and removing software on a daily basis to necessitate constant administrator rights, and we do try to make these changes as quickly as possible.

When a user is always logged in with an Administrator account, it exposes the computer to additional risks of virus infection. If the computer does get infected, all time saved with the submission of tickets to elevate/reduce permissions will be negated, as the remediation is days, not minutes.