3 years experience started my new role and need some advice
My first comment is "tread carefully". In my experience, if you are working in an environment where everyone has access to everything you can run into a lot of resistance if you start removing access.
I have come into similar environments and my biggest take away is that getting upper level buy in is critical. What you absolutely don't want is to remove something and then get immediately overruled from on high. That will set the tone that if you get the attention of the right person, the change can be undone. It setups a situation where every change you make is fought tooth and nail.
Honestly, would say It doesn't really matter even matter what change you start with. Doesn't matter if you pick a "most critical security issue" or "tiny trivial security issue, but easy to remediate"... at the end of the day what you have is a culture issue not a technical one. You are working at a business where security principles are not "part of what we do". That is a war you win one battle at a time, more importantly it is a war you CANNOT win by yourself.
Get buy in from the highest levels on something specific that the believe "this is absolutely something we need to change". Research and plan it carefully so that you make SURE no one can kick back with "I can't do my job because...". At the end of the day, you need the people who are resistant to change to break their teeth on upper management and get "no this needs to happen"...
If you do that repeatedly at the start, the complainers will use up all of their credit after the first 2-3 changes... then you can establish a culture of security and sound practices.
As for specifics... it sounds to me as if you are walking into the wild west. I wouldn't worry about identifying every possible issue that needs correcting. You already have a list long enough to last you a long time with cultural resistance. I would start on getting a feel for what sort of changes you can make that give you "bang for your buck". Either things that help "you" do your job easier (like standardized imaging or implementing management tools, centralized AV console) or changes where a single small change affects the security of your whole business (like a change to internet access or firewall for the business). Don't get caught up in the minutia up front, with system by system changes...
This question could be as little or as big of an issue depending on what assumptions we make on your/your businesses behalf.
My question would be, have you had enough time to understand the business and environment?
- Admin rights on machines - might be the best way to go in your business, dose the business have existing methods of limiting risk to only the local machine whilst protecting servers, and network, and is that the acceptable level for them?
- a SOP and standard image might not be the answer, i know many places where very few machines/roles are actually alike, and it's necessary to basically manage a large number individually, or not even bother with images.
- How I.T literate are your staff, do they rely more on policy and training rather than software or physical restrictions on their PC?
- what about your ISP, perhaps firewalling and some sort of security happens externally? perhaps trial a web content gateway or UTM firewall, and online threats are a big issue.?
You're on ITNinja, so i suppose you have at least some management and reporting capability, there must be some other tools/WSUS/AV consoles etc that can tell you more?
If you have an idea of what tools are at your disposal and understand the business and its users, then surely the priority of issues to address will become a lot clearer to you.