What to do when your software needs Windows Admin rights: safely using QuickBooks & Lacerte
Overview
Lacerte and QuickBooks require Administrative Windows user level permission. This is different than the various QuickBooks user level accounts within QuickBooks. Why does this matter? As we explain in other Aditi Group articles, a key goal of hackers is to get admin rights.
Once a user has Windows admin permissions, he or she can open more doors, access more data and functions, run exploits, change user credentials, and ultimately, get to the goods – sensitive financial info.
Aditi Group uses unique software that allows programs to have Admin rights, without requiring users to be Admins. So programs function correctly, while allowing Windows users work without Admin level rights – in a much more secure mode. Work gets done while blocking potential hackers from greater access.
QuickBooks is synonymous with personal and business accounting. Nearly every bank and online investment account allows you to export transaction history and account data in QuickBooks file format. Even better, you can connect financial institutions directly to your QuickBooks software to sync data automatically. It’s the most widely used accounting and bookkeeping software for small businesses.
Another in the Intuit portfolio is tax preparation software Lacerte. Acquired by Intuit in 1998 for $400 million, it’s not one of the more known Intuit names, but there is a large base of CPA’s and tax preparers. Both progams are part of the ever growing portfolio of Intuit, current owner TurboTax, Credit Karma and Mailchimp.
Administrator Rights
QuickBooks and Lacerte require Windows Admin user account credentials to run updates, which, during tax season, can be frequent. Aditi Group has seen updates daily at times. And tax prep offices may be running a slew of different tax years simultaneously, each one requiring different Lacerte program version.
These means QB and Lacerte users need to be made Windows Admin level to keep the office running with their core software. The violates a basic principle of security: only use the level of access you need right now.
Don’t work in Admin mode all the time. Use non-admin accounts for daily work. Use Admin accounts to make changes, review issues, and access resources for special action. See what Google recommends to administrators:
What Does Google Say to Admins?
Don’t stay logged into Admin or use Admin accounts for everyday work. Google, like most sources, cautions against remaining logged in as an admin, or in the context of Google Workspace (aka Apps), as Super Admin.
Prime Hacker Targets
Professionals who deal in analyzing, tracking, managing, and reporting on money are prime target for hackers. Especially Tax Accountants and Tax Preparers. Your valuable info, include your social security number is the golden key that credit thieves are looking for. Not only can fraudsters potentially create new credit accounts in your name, but they can also potentially file for tax refunds in your name, and to be collected by them. In fact, tax return fraud is such a huge problem in recent years that the IRS flags millions of returns as potentially fraudulent and requires tax user verification. And untold number of returns are fraudulent but make it through the system.
As we write this, October 15th is fast approaching and smack in the middle of national Cybersecurity Awareness month. It’s fitting. Hackers know that it’s “silly season” as some tax preparers call it. They know that heavily loaded staff working long, late hours can more easily click on a phishing email link instead of a legit message from a client and accidentally let in a potential hacker.
Feeling the Pressure
Tax Seasons Around the Year
As the tax filing dates grow closer for individuals in April and October and for business with their tax filing deadlines, the pressure cooker in many tax prep offices heats up and up. Clients (hey, that’s people like you and me) tend to wait until the deadline and then some, to get data, and I mean all the records to the tax prep offices. And then we demand that OUR filings are submitted on time. And hey, where’s my refund?
Monthly Close & Reporting Deadlines
When CPA’s and bookkeepers aren’t hustling with tax prep or filing steps, they’re keenly aware of the regular reporting that many business leaders require to pace company progress and manage the tactical and strategic plans through the year. Like tax filing dates, these end of month, quarter and yearly points mean more work and more pressure clients to get data processed and reports done.
<< IT Managers’ Dream
The fantasy for many an CISO or IT manager is to be able to totally lock down every computer. No one gets admin rights but them. No one else can make changes, install risky software, use weak passwords, move data with insecure ways, or otherwise erode the secure defenses our IT leaders put in place.
>> IT Reality
Keeping offices in forward motion and appeasing staff usually means trade-offs. We vote for quick and easy over secure and thorough. The real picture is too often compromised security to allow programs and people to get the job done. And that is what thieves pray on. Something to exploit!
Elevation Control Solution
Aditi Group employs a software system that allows us to exercise granularly assigned rights and privileges to both programs and people. Those rights can be set with a variety of factors which gives IT managed service providers like us at Aditi Group, the ability to approve Lacerte and QuickBooks for Windows administrative permission, while keeping users are non-admins. So, users, including hackers, can’t directly get to the admin privileges.
Enjoy the Security & Productivity Rewards
We can have our cake AND eat it too. We can now effectively and securely enable powerful software tools while reducing cybersecurity risks. This is the not the end-all, be-all for security, but it significantly reduces risk of hacking of valuable financial data. And that can be the difference between having a thriving accounting, bookkeeping, or tax preparation business and lawsuits and penalties for allowing hackers to get to client data.
