Why should your users use least privilege on their corporate computers?

If a business allows it's users to install whatever software they choose and/or make configuration changes then they run the increased risk of the security of the machine being compromised. I recommend wherever possible businesses should refrain from giving end users administrative rights over the machines they use thereby preventing users from installing software (that affects the system as a whole) or making configuration changes that affect the system as a whole.

 

Regular user accounts CAN still customise items that just affect the current user such as the desktop background and in principle most day to day activities should be possible without using an Administrator level account.

 

By installing a piece of software the user is implicitly trusting both the author and distributor of the software that there aren't any backdoors or security vulnerabilities in the software itself. In addition there are many cases of malicious software "piggybacking" onto/into perfectly legitimate code due to the distribution point (often a website) being compromised. To ensure effective security it's critical to only install software from sources you have reason to trust.

 

If the user is allowed (due to having administrative rights over their machine) to make configuration changes then they could accidentally disable security features such as the firewall thereby rendering them ineffective.

 

Some applications don't work properly when run without admin rights and whilst ideally such code should be replaced, in the real world that's often not feasible in the near term. Vista makes life easier but you certainly CAN run XP without admin rights AND be productive - I did so for a couple of years. In such situations I advise giving each user TWO accounts - one with admin rights and one without - encouraging them to use the non-admin account as much as possible to reduce their attack surface AND EXPLAIN TO THEM that their machine is less likely to "break" due to malware/accidental mis-configuration while they are using that account.