Computing Without Administrator Rights, Part 2: The Journey Continues
When I set out to remove my administrator rights just over a month ago, I expected it to be a harrowing journey. There were some challenges as noted in my earlier blog entry due to poor planning, but the beginning wasn’t too bad. I thought I would have stories to tell every week, but to be quite honest it has been a quiet few weeks with little to no disruption to my daily work.
As I mentioned, I used Arellia Application Control Solution to create a number of elevation policies for applications that required administrator rights. I also have a self-elevation policy so I wouldn’t need to go to and create policies to elevate on my management server. All of my applications have worked perfectly fine and the only time I have needed elevated rights has been for software installs or upgrades.
In terms of upgrades, I thought I would do some software maintenance and see how it went. First, I updated iTunes and tried without elevation, where the install unpacked, then eventually requested administrator rights. So I self-elevated the iTunes installer and everything worked fine (other than needing to restart Oulook (why I thought?) and the overall install taking a very long time). I needed an FTP client and elevated an installer to install that. I also need a WordPress utility and installed that with self-elevation just fine. The only action that required me to modify my policies was an Evernote upgrade. It has no problem telling me that I needed an upgrade, but won’t let me do it as a Standard User. I tried my default self-elevation policy and it still didn’t work. I made a small tweak to give that policy some additional rights and no problem.
Now in a real world environment, IT would review my self-elevation actions and either send me a nasty note, add those installers to a permanent elevation policy, or just acknowledge the event and move on. In my case, all events were logged which allowed me to write this article as I can’t’ remember everything I’ve done.
In summary, removing administrator rights has been way too easy when using Arellia Application Control Solution. I’m really pleased with how seamless the experience has been and recommend it to everyone due to the many issues with vulnerabilities exploiting the privileges of the running user (see our recent Microsoft and Adobe research). I may write one more article unless it continues to be smooth sailing in which case, remove those rights and leverage Arellia to bring things into balance. It works!