Pub. 8 2017 Issue 4

www.wvbankers.org 12 West Virginia Banker T hose who have been through an audit or regulatory examination have been asked if users have local adminis- trator rights enabled. Have you ever wondered what local administrator rights means for the user, the bank, the risks that are involved, and the steps to mitigate risk if local administrator rights are required? What do local administration rights provide to a user on a per- sonal computer? Local Administrator privileges provide users with the ability to do almost anything that they want to do to their computer. They can download any application, use any program, and even ignore or undo policies that were set by the information technology administrators or management of the bank. The elevated privileges provided with local administrator rights presents additional risks and can expose a bank to a large number of vulnerabilities. A large number of vulnerabilities could be mitigated by removing administrator rights from all users in a bank. Having local admin- istrative rights enabled on bank computers can have a significant impact on the bank. Some of the risks include:  Malicious software is easier to run or install infecting the local computer and from there possibly spreading throughout the entire network. If a user has the local administrative rights ena- bled malware can access more areas including but not limited to disabling firewalls, bitlocker, and antivirus solutions.  If local administrative rights are implemented incorrectly (i.e. not based on management’s intentions), attackers / intruders with the use of malware could gain access to computers on the network exposing sensitive bank data and nonpublic customer information to unauthorized access.  The ability to keep track of the software installed on the network may not be as easy to achieve if users can download software from the internet. Software licensing and compliance are beyond the scope of this article, but end users installing software presents risks on multiple fronts including license violations resulting in fines, increased risk of systems that are not updated with patches on a regular basis, inefficient use of resources and many other potential issues. Following best practices by restricting what accounts have local administrator privileges is an excellent way to mitigate the risks. You may find that some users require local administrative rights to perform software updates. In this instance, document which users need elevated privileges and why. If the local administra- tive rights are required by all users on all workstations because of the core processing solution being used (or other solutions), the bank should consider doing the following:  Obtain supporting documentation from the vendor of the core processing solution (or other solutions) at least annually explain- ing why the local administrative privileges are required for the solutions to function or to receive updates.  Document within the bank’s written policy the requirement for local administrative rights by the applicable solutions and refer to the document obtained by the vendor.  Include the risk of the local administrative rights being enabled on bank computers within the bank’s risk assessment.  Request the vendor make changes so that administrative ac- cess is not required for their solution.  Consider disabling or restricting internet downloads on the computers to reduce the risk that the computer is compromised by a potential vulnerability.  If users need to be allowed to download applications from the internet, ensure users are educated regarding downloads and the potential impact. In addition, the bank should have a process in place to approve applications prior to downloading them from the internet. The key is to understand what users are able to do on each com- puter with the local administrative rights. Gain an understand- ing if and/or why your bank needs to have local administrative rights enabled for end users. If vendors or anyone claims local administrator privileges are required, challenge it with the goal of understanding if elevated privileges are really required and why. A better understanding of local administrative privileges will help reduce overall bank risk.  Local Administrator Rights By Trista Cline, Arnett, Carbis Toothman, LLP Trista Cline is a Supervisor of Arnett Carbis Toothman LLP, Certified Public Accountants, in the Charleston, West Virginia office. Ms.Cline has overnineyearsofexperience in information technologyauditandsecurityservices inthefinancial institutions industry. In addition, Ms. Cline has extensive experience in database analysis and the use of database analysis tools. Ms. Cline can be contacted at 800-642-3601 or through email: trista.cline@actcpas.com.