Why is account separation so important? Don’t run as local administrator

Why is account separation so important?

When we perform Cyber Essentials and IASME Cyber Assurance assessments and consultancy with our customers. One of the main areas that we see where people fail on is that they are not using account separation in their daily operations. Meaning that they are not using a separate standard user account with their administrative account as per best practice.

When we bring this up with the customer, a lot of people ask why do we need to use separate accounts? As it just makes our lives harder, this is especially if they are working in IT or are software developers or are management.   A lot of IT departments are also afraid to restrict their senior management, thinking that removing administrative access from their machines, will increase their complaints to IT or will receive the wrath of management.

However, by implementing separate accounts for everyone and defaulting their access to a standard account on their devices within the business (and at home), you are protecting your information and with very little impact or overhead when it comes to requiring account separation.

When setup correctly, people can continue with their everyday operations as they used to, only when, they require an administrative action, such as installing software, configuring devices and so forth will they then be prompted for an administrative login. When prompted all the user then needs to do is enter in the credentials for the separate administrative account, if they know it, or contact IT for access and continue with their tasks.

By having this type of account separation in place, you are making sure that if your device ever got compromised, that the amount of access to the device is limited. That the attacker would not have full access to the device and would generally not be able to go any further without having administrative access.

Staff should be trained to understand these methods of working and be on the lookout for unexpected access requests from the device. For example, if a user is working and then is suddenly prompted for administrative access, why is this?  They should contact IT to see what is going on and should not simply give access if it was not expected.

This sort of access and management of accounts can be combined with the recommendations from NCSC with regards to access management, which can be found here: https://www.ncsc.gov.uk/collection/10-steps/identity-and-access-management

For information on how to create separate accounts on your computer, you can follow these articles below. Just remember that once, you’ve created a new administrative account, that you change your daily account to a standard user account.

So if you are working at home or at work and are using an account with full administrative access for your day to day account, stop, setup account separation and keep your machine safe.