Account privileges
Each account can be assigned a range of specific privileges, from a standard user account (with no systems access) to a full local administrator account. Gaining access to administrative rights on the Windows operating system is one of the key attack vectors that needs to be prevented in every organization and even on personal PCs. Administrative rights are required when changing configurations or installing software, both of which should not be carried out by users, and therefore all user accounts should be restricted to standard user accounts only.
Where there is a genuine need for a user to be granted local admin rights on a computer, they should never be assigned to the user’s main account that they use for gaining access to email, documents, and websites. This leads to the potential for a user to open a document, or click on a hyperlink, that contains malware. A better design approach is to create a local user account specific to this user and provide...