I want the account to be able to use one app that requires administrative privileges. I have contacted the support team of the app to find out why it needs these privileges, but I didn’t receive any helpful information.
The app is for viewing surveillance footage, but it requires admin privileges to open. I don’t want to make every employee an administrator just for this one use case. It might be better to switch to a FOSS app that doesn’t require administrative privileges by default.
The cameras we currently use are made by the vendor of the app, so maybe we’re locked in somehow? The NVR is also made by them, so it might be possible, but I don’t know for sure. I need to look into it more.
Honestly, I’ve seen this too many times working in IT. The best option was always to set up a computer with a local administrator account, no access to the secure network, and let the entire department have access to it.
Install the camera software(s) on there and only there. Videos are then exported into a common file type and transferred through USB or DVD.
I’ve worked with Police departments that had dozens of different, unique software each with their own proprietary codec. Every time they requested a recording from a business there would be another unsigned .exe to run. Straight garbage.
The physical security/life/safety/property world has some of the worst security management.
We have an app like that that has a lot of our clients pii in it and in order to keep it safe we host the app itself on a remote machine and when people need to use it they RDC into the machine with a shortcut.
They have local admin permissions on that machine but the only thing that that device can do is run that application and the firewall outside of it prevents it from going out to the internet or other places.
Maybe it’s overkill, but doing things like that help prevent and protect our clients which is the most important thing for the company I work for other than making money.