Re: Impact of removing administrative rights in an enterprise running XP

Why? The user probably had to be an administrator to get the virus in the
first place. And the patch doesn't require "the user to have admin rights."
You just apply the patch as an admin, or do a simple RunAs. That "bit you

None of my users are admins. It's been quite easy for us to implement
"least privilege" though there always are a few apps out there that you have
to do RunAs or something like that for. But if you are in an environment
like the previous poster where he has 2000 users using "FileMon, RegMon, and
SetACL as staples" then that is a different story- if you have users who, as
part of their job, perform administrative tasks, then they need to be
administrators, or you need to have a planned access policy for those

I feel that on a daily basis I must perform as much administrator-type work
as the next guy, yet I never run in the context of administrator (or equiv)
on any of my machines except when I must perform my duties - on my
Windows-based machines or on my Macs. The Macs don't even have root enabled
at all...

Regardless, to speak more to the OP, yes, your support model will most
likely have to change drastically if you are in an environment where
everyone was a local admin and were used to being able to do anything.
People have said that the worst part is that users won't be able to install
their own software. I think that is the best part - they shouldn't be able
to (if you don't want them to.) That's why so many companies are knee-deep
in futzware. To do it right, you'll need to:

-Inventory Corp software needs and analyze authentication requirements.
-Plan out remote/help desk functions.
-Get a software distribution model in place and solve that (either in house
or commercially)
-And most importantly, have a corporate policy in place that backs you up
when some whiny little punk-user bitches and moans to the bosses about how
they can't do all the nifty little things they used to be able to do.
Without that, everyone will probably end up being "special exception" users
and you'll be right back where you started. And it will end up still being
YOUR fault! ;)))


On 7/27/06 2:44 PM, "Robert D. Holtz" <robert.d.holtz@xxxxxxxxx> spoketh to

I was involved in ~1,500 users and it also was an amazing exercise in
futility. The previous paragraph was on the money.

It really bit us hard when we had a virus infestation and the patch from
Microsoft needed the user to have admin rights in order to fix the problem.

-----Original Message-----
From: McLaurin, Timothy [mailto:tMcLaurin@xxxxxxxxxxx]
Sent: Thursday, July 27, 2006 3:50 PM
To: Jon R. Kibler; focus-ms@xxxxxxxxxxxxxxxxx
Cc: Drew Simonis
Subject: RE: Impact of removing administrative rights in an enterprise
running XP

I've done it for about 2,000 users and it was brutal. The technical
aspects of it was bad but even worse were the political. People can't
get used to the idea of not being able to do what they want when they
want. Especially the executive types. And we still gave them admin
accounts, they just had to use Run As... Support isn't all that easy
too because we had no idea who had what, and what was essential for
their job function. There are all kinds of stupid applications that
call for admin rights and once they are taken away it doesn't work
anymore. Filemon, Regmon, and SetACL were a staple during that time

-----Original Message-----
From: Jon R. Kibler [mailto:Jon.Kibler@xxxxxxxx]
Sent: Thursday, July 27, 2006 11:09 AM
To: focus-ms@xxxxxxxxxxxxxxxxx
Cc: Drew Simonis
Subject: Re: Impact of removing administrative rights in an enterprise
running XP

Drew Simonis wrote:
Hello all,
I wonder if anyone on the list who might work for a good sized
enterprise (10,000+ seats) has gone through the excercise of removing
administrative rights from the user community?

Aside from the effort to inventory all applications and ensure that
they work with restricted permissions, I forsee that such an effort
would likely require changes to the entire support model. Instead of
relying on users to install their own software, it would need to be done
for them. New hardware would require intevention, etc.

If someone has completed this, was support a major new burden, or was
it not as difficult as it might be? If it was, how much of a burden was
it (+ desktop support headcount? +helpdesk calls?)?



Have not done it in as large of an organization as you indicate, but
have TRIED to do it in smaller organizations -- and ran into MANY brick
walls. It is still a work-in-progress! Things are better, but we're not
there yet by any stretch at any organization that I am working with.

The primary issue is that A LOT of applications assume/require
administrative privilege to work. In reality, you can probably get
many/most to run with less than admin priv, but figuring out what is the
minimum required is not an easy task. And don't expect the application
vendor to be any help either!

Trying to remove local admin priv is a trial-and-error process. A lot of
apps will work most of the time, then one seldom-used feature breaks it.

You would be surprised the apps that require privilege to run... many
big name ones, such as the Intuit product line. There was a discussion
on DShield a few months back on this topic, and several people named
names of applications with privilege problems (but nothing close to
scratching the surface!).

Good luck.

Oh, BTW, as you try this task, publishing a list of the required minimum
privilege for each application would be a great help to everyone. I
wanted to do that, but my clients all objected.



Relevant Pages

  • Re: Alternative to Windows Explorer
    ... One drawback if you use that "runas" approach then you really won't know ... Administrator versus their using their actual account. ... admin, a variation of their normal account. ... > pen testing experience in our state of the art hacking lab. ...
  • Re: firewall on budget ?
    ... 1)Work in Admin mode, and through 'run as', browse ... If working in admin mode and doing runas to browse in a guest account. ... Installing a program, getting an error, then doing the run as, can be ... running as administrator all the time. ...
  • Re: Is non-admin logon worth it?
    ... on as "Administrator" just as some user that is an admin. ... virus, can do pretty much anything with no need to give permission. ... Inexperienced users with full rights to the machine *(even through a UAC ...
  • Re: Keep admins off of client machines
    ... The 'Domain Administrator' account is ... > administration person from the domain admin account is complex and fraught ... > change the Domain Administrator password. ... > it takes a thorough understanding of such priveleges to do so. ...
  • Re: updates ready to install
    ... how to 'log in to the admin account'??? ... When I reboot I still see my defaults, me / set as administrator, and guest. ... MS offers no-charge support for getting this Security update installed: ...