RE: How to block users from installing other apps

From: Mike Lyman (mlyman_at_west-point.org)
Date: 07/04/03

  • Next message: Charles Benton: "RE: SP4 Installation Failure" 
    To: <focus-ms@securityfocus.com>
Date: Fri, 4 Jul 2003 09:13:13 -0700

    > Users should NEVER be given admin rights, nor should they be
    > allowed to install software on their workstations for these
    > and any number of other reasons

    Never say never on this subject. Security for security's sake by
    itself does not facilitate business processes. It needs to take into
    account the needs of the business. There are legit business reasons to
    allow users to be admins on their own computers. The important thing
    to do is look at the risks and if the business needs outweigh the
    risk, then by all means, accept the risk. If the business needs
    dictate doing it but the risks are greater than you want to accept,
    find ways to reduce the risks to an acceptable level.

    We operate quite successfully with every end user being an admin on
    their own systems and with them even being able to build their own
    systems. (And we have a 300,000+ system network that literally spans
    the globe.) There are problems but because of business requirements,
    those problems are less than the problems not being local admins would
    cause us. (Not the least of which is the helpdesk hit to install
    applications on that many systems.)

    Now I'd much rather have the users operating as non-local admins most
    of the time and only becoming admin when they need to but that is
    still somewhat difficult on Windows even if you stick with only newer
    applications.

    Mike Lyman
    mlyman@west-point.org

    -----------------------------------------------------------------------------
    ------------------------------------------------------------------------------

  • Next message: Charles Benton: "RE: SP4 Installation Failure"

    Relevant Pages

    • Re: Amelias Laminitis again
      ... I'd not be inclined to take advice over the internet from ... >> My email is my business and certainly not yours, if you new anything you can ... > personal email addresses, ... used by more than one person (particularly 'admin' is often used by ISPs ...
      (uk.rec.equestrian)
    • Re: IE Error Message
      ... My reply is at the bottom of your sent message: ... This is a business PC ... according to the error and Google's findings your admin has installed ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • Re: win 98
      ... ;) I used to be an NT admin before starting my own ... business, and I poked fun at the C2 certification even then, as did a ...
      (comp.security.firewalls)
    • Re: legal Question on scans
      ... > I did this during an attack on my web server and sent the admin the log file ... > security expert things that I was not legal in scanning his system. ... owned cracked sysetem, told them about their open ports, went to jail. ... Seems business thinks it's bad for their reputation if it gets known ...
      (comp.os.linux.security)
    • RE: Getting "Issues" and "Risks" to show on Home Page
      ... the admin area where you assign your user's permissions. ... > Since I am the admin for Project Server, I can try your suggestion of ... > for issues and risks. ...
      (microsoft.public.project.pro_and_server)