I've found a lot of times that "the big boss" in a company want to be able to install "anything" and to do anything in their computer.
Of course we can tell him that it is bad because the IT system administrators lose control over the computer, and so on.
Any irrefutable argument to convince big bosses that it's better to not have administrator privileges on their desktop-computer?
The only time I was even a tiny bit successful on this was a boss who was willing to use run as with alternate credentials if he wanted to install something. I explained that even the sysadmins logged onto systems with normal accounts most of the time and then created him his very own admin account that he was only to use when he wanted to do something special. It was actually very effective, and kept his machine from getting totally screwed up in the two years that I was at the company. This was a relatively savvy CEO who was able to understand the whole run as thing, and I'm sure he had stuff on there I wouldn't have approved, but at least it stopped him from passively screwing stuff up.
Tell them they can have the same access that domain admins get, and then give them exactly that:
The idea is that the privileged account should be broken enough that it's less painful to stay logged in as a standard user most of the time; the boss will only want to use the privileged account when he really needs it. Big bosses almost always rely very heavily on access to e-mail and report systems, so if you can make accessing these from the privileged account a little less convenient you're in good shape. Half the time your boss will just forget the credentials anyway.
If this still doesn't satisfy them, then go ahead and hand out a full domain admin/root account, but still do it as a separate account from their normal working account — after all, they are the boss. Make sure the account is heavily audited. At this point, what they're often really looking for anyway is just an insurance policy or hedge against a rogue admin; they need to feel like the buck stops with them if it comes to it, and as long as they have a standard user account for their day to day work there's nothing wrong with this.
None, except to let them know it will take at least 3 to 4 hours to cleanup his computer when he's hopelessly hosed it up.
Just fair warning..
I only do contract work, so I do whatever my Customers tell me to or, if I really don't like it, I exercise the "bailout clause" in my contract.
With that in mind, most people have had some kind of "malware" experience today. I discuss with the Customer how malicious software that they run via browser bugs, etc, has all the same rights nad privileges as the user account they're logged-on with (including access to their email and their keystrokes, not to mention resources on servers).
Normally I get a question like "Why won't the anti-virus software take care of it?" We then have the "arms race" talk-- the one about how the malware people are downloading the same updates to anti-malware software that you are and engineering around the new "signatures", etc.
I top it all of by explaining that I use limited user accounts on all my computers (and have done so for years).
This is all it has taken me to convince users to run with limited-user accounts. In a few occasions I've had to let the user have a malware experience first (which invariably happens), but since my services typically come with a very clear indication of the related expense attached, it usually only happens once.
I generally create "Administrator"-level users as either local accounts or domain accounts (along with restricted groups policy to actually give the user account "rights"), depending on how many computers the user needs the access to. I make sure not to name it in any of the groups used by the day-to-day user account, and not to give it access to their Exchange mailbox. I want the "Administrator" level account to be as useless as possible for anything except installing software / drivers on their PC.
This strategy has saved me a lot of headaches and has saved my Customers a substantial amount of money. It takes "people skills" to have the conversations you need to have, and being a contractor certainly helps matters, but it's definitely a surmountable problem.
Unfortunately, there's not much you can do to the guy who is signing your paycheck. :-)
The best (practical) advice I could give you would be to make sure you have a good backup routine in place for his system and let him go hog wild. LOL
It really boils down to this:
SOMEONE has to be in the driver's seat. Its his company so clearly he's the boss. The best you can do is ADVISE him as to the best course of action (with anything) and then let him make an "informed decision". If he doesn't go with your advice... and there's a screwup... its HIS fault for not listening.
If he DOES follow your advice and there's a screwup... its still HIS fault because HE made the decision. Remember, HE'S in the driver's seat.
Now... this will get you some weird looks from time to time... even a chuckle or a laugh.
But sure to explain that THE DIFFERENCE is... your clean up YOUR messes (for free) and do your very best to resolve the situation. The other he pays you to clean up and you reserve the right to "preach" at him for 5-10min and he agrees to listen.
Try to keep it on the FUNNY side.
I've never had a problem explaining this logic to a business owner. Most of them already know it. Its just fun to explain it in blunt (yet gentle) terms. ;-)
Instead of trying to convince him that he is wrong, perhaps you should try and find some way to compromise. Perhaps allow him to run a copy of VMware with a guest vm he can go wild on. Try and give him the ability to accomplish what he thinks he needs to do in a way that will still leave him with a stable managed system.
Really, you probably need to make the business case that he can either have a computer that is reliable and that can be restored when it fails or he losses his computer because you know exactly what is on the system and how to fix it and where all the media is. Or he can have a computer that he is responsible for, and when the computer gets broken, you cannot guarantee that you will be able to do anything other then format+reinstall.
Try and communicate the risks and what you do, and try to reach a compromise. Consider setting up a VM, or a dual-boot setup or something that allows him the flexibility he needs/wants, but still lets him have a stable system.
Tell him that he should really set the example the rest of the company should follow.
If he starts to "customise" his (worst case) laptop with "internet downloads" then his Director for Sales will, the Finance Director will, the Assistant Sales Director will, the Sales guy's will, the technicians will, customer services will etc etc.
Then, explain that a) the risk to the BUSINESS INFRASTRUCTURE is increased (fancy finding all your customer and order information on the internet), b) sets a slack security and professionalism culture in the organisation, and c) cost a lot more in support and reduced reliability.
If he wants a play machine, then let him do it on his own PC but a business PC / Laptop / Equipment is for business purposes.
It's a grown up thing...
I don't understand the one-sidedness of the answers here. The big cheese gets what the big cheese wants.
Will a non-technical executive get into some trouble of their own making?
Maybe -- but look at that as an opportunity to get a first hand ability to show off your abilities and get some facetime with the guy signing the checks. Giving a talented young admin exposure to the CEO is a great way to give the kid facetime and makes the promotion process easier... "Remember the guy that saved the day last month..."
Or you can take the grumpy, by-the-book approach, piss off the CEO and give your boss heartburn.
I totally sidestepped the issue and bought the CEO a very expensive very high end (at the time) Mac workstation with a huge studio display. He loved the exclusivity, I loved the fact that there was a little bit less trouble he could get in to. I maintained the ability to ssh in and run top just to keep an eye on things. Luckily he was not a laptop guy.
Tell him that very few Hospital Bosses perform Brain Surgery or any Surgical Procedures for that matter.
Rather than try to stop the boss from installing stuff on his machine, I think you are better off figuring out a way to keep his computer from causing wanton destruction of the rest of your IT systems when he/she inevitably gets some virus after disabling the virus scanner.
If this question is coming up, I would guess that the organization doesn't have explicit policies in place to deal with this kind of request. If these were in place, it would be a no-go, or he'd be going on record filing the special requests to get the privs. Or he'd be asking you violate policy. ahem.
There's not much you can do. There's no magic argument if somebody doesn't get it or your boss or organization doesn't recognize the possible risks. You can take the stance and say no and but that may or may not work and it may lead to bad feelings.
Bottom line: if a boss isn't concerned with the appearance of preferred treatment or risk associated with users running as admins AND you (or your dept) don't have the acknowledged authority to deny the request, you might as well give it to him.
The best you can do is try to formulate some polite "this is against best technical practice" statement, back his stuff, up and let him go to town.
I've found that most managers have one of two styles of computer usage: they are either extremely hands-off because they have more important things to do than playing with a computer, or they like to get in there and mess around.
The hands-off managers are no problems - you set up their computer, tell them what they can and can't do and make sure you're always there if they do need to install something (and have as many options as possible - e.g. a local account w/ admin access, tested remote access over VPN, etc.).
In my case, almost all of the managers and VP-level guys who liked to install or configure things on their computers had killed their computers at some point, so we didn't have too much trouble with locking theirs down. A couple of them we had to tell about the local admin account to make them happy, but they understood the risks of doing something without involving us or at least asking us first.
The president, however, never understood how much it was costing when he killed his system, but he retired before we got to try our final attempt at a solution: we were going to get him two computers, one locked down with all our standard stuff installed, and a second one that he could install anything that struck his fancy on. He liked small notebooks long before the term "netbook" was coined, so I figured he could carry two of them around, but just one power supply.
Explain that having administrative privileges makes his computer more vunerable to hackers, who could steal company secrets, destroy data or abuse services, or viruses, which could destroy data or cause him to be part of a botnet, which could open them to computer criminal charges if they partake in a DoS attack or such like.
In addition, explain that if they accidentally damage something, they could be without their computer for a few hours (or days) while you try to fix it. If they do not have administrative privileges, then they will have less ability to break things.
You need the IT policies in place first - the technical solutions are always based on them, not the other way around, no matter how obvious some technical setups like non-admin user accounts seem to us.
I'd ask him what it is he thinks he can't do with the privleges he has. Other than that, give him the admin rights- he's signing the overtime check when he breaks it.
What we have done is explain what has already been mentioned... if we have to clean up a system, it means they are without their system for that period of time. We also have a strict policy that we make a quick assessment. If cleanup is going to take longer than an hour, or if we can't quickly assess the extent of the infection, we just re-image the system. The problem with this, as far as the executive is concerned, is now all their toys are gone. But since we didn't know what was on the system or where to get all the install packages... you get the idea. You may not have such leverage but it is worth a try.
Ultimately, the big boss has to make a business decision as to what is acceptable to him/her. We may disagree with it technically all we want, but it is not our business. If we can't live with said decision, we always have the option of looking for employment elsewhere.
By the way, if you're looking for a resource to help with this argument, check out the following site: Threatcode.com. I don't know up to date it's kept, but it's been touted in the past.
If you go head on and say "you can not do this" with the guy that is signing you pay check then you will loose!
Like always, you need to twist and turn to get round this. The answer can only be found if you understand why he wants to be admin.
If it is technical you may be able to convince him, but if it is about "power" and being your boss you out of luck. It is very hard to convince a boss that he needs less privileges than the people that he is bossing over, that would probably mean from his point of view that they are allowed to do more than him and that turns the normal hierarchy up side down (and most bosses don't like that).
So choose your words with care and don't forget the human side of this problem.
\computername\c$ to his PC, read all his documents, copy them, paste them into a different location and then present him with an example of what a hacker will do to his system and do with all his personal info if he get's infected because he wanted to browse to odd sites or download free games from somewhere.
It will probably get you fired. I have been in the situation before and it is a no-win situation. I am in another one right now. I work for a company that doesn't give a hoot about giving local admin rights to users. We have virus/spyware/malware issues ALL THE TIME. On top of it all, our desktop guy is a noob, but very cocky, as if he invented the internet.
Anyway, I am a network admin. I just block the really bad sites and try to prevent stuff from my end, but the dumb users always seem to find a way. Glad I don't have to cover for the desktop guy very much.
