Manage Learn to apply best practices and optimize your operations.

IAM best practices for employees with varying degrees of access to the same computer

Protecting access to a single PC with multiple users can be a daunting task, but there are some security best practices to consider.

In our organization, several users often have to share access to applications and resources on a single PC. However, we need to make sure passwords and files remain secure. What's the best way to implement access management among employees who need varying degrees of access to the same computer? Is it best to have a fingerprint scanner? Does another technology make more sense?

The answer to protecting access to a single PC with multiple users is a combination of both policy and technical controls. On the policy side, make sure each user having access to this particular PC -- and any other workstation or server -- has a unique user ID and password. This should be stated clearly in the corporate IT security policy.

The idea behind unique user IDs is to be able to keep track of not only user logins, but also all user activity on the PC. If there is an incident, or other security breach, access can be traced to an individual. Shared user IDs, even if only for a small group, make this impossible.

Both Windows and Unix, including Linux, allow multiple user accounts on a single local machine. Each user has an account, whose access and activity should always be logged. This, again, is for tracking who might have accessed the machine in the case of malicious access.

As for technical controls, such as fingerprint scanners or smart cards, this should be driven by the risk level of the data being accessed and an organization's specific business needs and requirements. Business risk should drive enterprise security controls, not the other way around.

Do a thorough risk analysis of the data being accessed on the PC. Is it sensitive customer information or proprietary company data? Or is it demographics for marketing purposes that can't be tied back to individual customers? The first is of higher risk and should be protected with stronger controls, and the second is lower risk that doesn't require such tight controls.

It also seems like this PC isn't connected to the network, meaning it can't really be controlled through any domain-level controls, such as those in Active Directory or LDAP. With that in mind, you'll have to rely on local controls on the PC itself and base access on the risk level of the files and data it holds.

Also, make sure that no one on the workstation has administrative access. Otherwise, each of the multiple users could have access to each other's files, defeating the purpose of having separate accounts on the PC.

Dig Deeper on Microsoft identity and access management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.