Re: How to block users from installing other apps

• Previous message: Floyd Russell: "Q811114 and Q815021"
• In reply to: Jane Han: "RE: How to block users from installing other apps"
• Next in thread: jazzmanvibration_at_hotmail.com: "Re: How to block users from installing other apps"
• Maybe reply: jazzmanvibration_at_hotmail.com: "Re: How to block users from installing other apps"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 3 Jul 2003 13:25:05 -0500
To: Jane Han <janehan22@yahoo.com>

On Thu, Jul 03, 2003, Jane Han wrote:

> Thanks for all help.
>
> I downloaded regmon and filemon and going to find which
> permission need to apply to the reg keys and files level.
>
> Currently, I met some resistance from help desk manager, which
> many changes could be done at users' level if we need to change
> reg and file permission. he challenged me that the only damage
> can be caused only at local computer, not at domain.
>
> If someone can list all damages that caused by assigning domain
> users to the local administrators group, I would greatly
> appreciate it.
>
> Thanks in advance,
>
> Jane

Jane,

Explain the benefit to Help Desk this would mean: you'd have a
standard system with standard applications. Troubleshooting will
be easier, more efficient. Ticket resolution times would benefit
dramatically, making the Help Desk department look real good.

Explain the risk of damage caused by unauthorized programs.
Crashes, broken applications, conflicting libraries. Which means
not only loss of user productivity, but also more work for
support staff.

Explain the risk of damage caused by the curious and
well-intentioned. Tinkering has caused more downtime than all
the software bugs in the history of mankind.

Explain the business risk of copyright violations and software
piracy. Are you ready for a software audit?

Consider the risks of malicious programs, trojans, keystroke
loggers, rootkits.

Consider the privacy risks of spyware.

Consider the forensic difficulties if users can arbitrarily
compromise the security logs.

Consider viruses and the increased threats they pose having
administrator privileges.

Consider how much easier it is to exploit local administrator
accounts to become domain administrators. This doesn't even have
to be a technical achievement. You could easily convince a
domain administrator to log in to your machine and run arbitrary
programs and batch files.

Bring your security policy with you.

Have management backing you up each step of the way.

Basically, there are a million reasons why users should not have
administrator privileges. There are few if any reasons why they
should.

Hope this helps and good luck,

Anthony

-----------------------------------------------------------------------------
------------------------------------------------------------------------------

• Previous message: Floyd Russell: "Q811114 and Q815021"
• In reply to: Jane Han: "RE: How to block users from installing other apps"
• Next in thread: jazzmanvibration_at_hotmail.com: "Re: How to block users from installing other apps"
• Maybe reply: jazzmanvibration_at_hotmail.com: "Re: How to block users from installing other apps"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]