Re: Impact of removing administrative rights in an enterprise running XP



You are splitting hairs.... the network admin is "Admin" of the network... with the necessary rights to control the network.

Users are "users" of the network.. they should only have/need the appropriate rights for their role in the firm.

This is more politics and change in behavior than it is a technical problem. "Admins" have the tools (typically) under their noses to do this, Management has to sign off......


Starks, Brad wrote:

While it is true that you can push out patches and software via group
policy, it's really not a valid argument because GP does not provide any
reporting mechanisms for software/patch installations whatsoever.
Without the ability to report on which workstations had successful
installations, which didn't, what circumstances caused the failures,
etc. ANY tool that pushes out software and/or patches is worthless,
especially in a large-scale environment.

That being said, there are plenty of other tools that do include varying
levels of reporting in addition to myriad other features that will
accomplish such installations like WSUS (as you pointed out), Marimba,
etc., etc.

And while it is splitting hairs, your statement "You can easily install
patches without admin rights... the key here is 'management' of a
network"
isn't necessarily accurate either. Quite often, the admin rights are
still needed in order to perform the installation. But, instead of the
user having them, WSUS, Group Policy, Shavlik, etc. have and use them
instead.



-----Original Message-----
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[mailto:sbradcpa@xxxxxxxxxxx] Sent: Friday, July 28, 2006 10:44 AM
To: Dick Venema
Cc: focus-ms@xxxxxxxxxxxxxxxxx; robert.d.holtz@xxxxxxxxx
Subject: Re: Impact of removing administrative rights in an enterprise
running XP

You can easily install patches without admin rights... the key here is 'management' of a network.

WSUS can push out patches and the workstations do not need admin rights.

Installing of software needs rights.. but there are ways to group policy

deploy software and do this.

The reality is that line of business apps blew off Microsoft on non admin.. they didn't need to follow the XP logo (that requires the supportability of non admin) because WE the marketplace didn't care. The code design for many of these applications have not changed since
Win9x.

Yes, there are success stories, but it's totally dependent on a managed network.

IT admins have to relearn how to do tasks... learn group policy...learn scripting... learn how deploy software across a network.... That's the key... we have to learn how to do our jobs in a managed network.

Dick Venema wrote:



Is it not supposed to be an protection measure against any virus and


spyware.


We are supporting networks with around 10 users.
If I understand it well enough, it is impossible to manage pc's without


direct admin rights.


The most isseus are with installing applications. I tought that Microsoft and with them many other people almost ordered


everybody to get rid of those admin rights.


But from the reactions I hear, everybody complains. Are there success


stories?


Dick Venema
Venema Advies



-----Oorspronkelijk bericht -----
Van: "Robert D. Holtz" <robert.d.holtz@xxxxxxxxx>
Aan: "'McLaurin, Timothy'" <tMcLaurin@xxxxxxxxxxx>; "'Jon R. Kibler'"


<Jon.Kibler@xxxxxxxx>; "focus-ms@xxxxxxxxxxxxxxxxx"
<focus-ms@xxxxxxxxxxxxxxxxx>


CC: "'Drew Simonis'" <simonis@xxxxxxxxxx>
Verzonden: 28-7-06 15:37
Onderwerp: RE: Impact of removing administrative rights in an


enterprise running XP


I was involved in ~1,500 users and it also was an amazing exercise in
futility. The previous paragraph was on the money.

It really bit us hard when we had a virus infestation and the patch


from


Microsoft needed the user to have admin rights in order to fix the


problem.


-----Original Message-----
From: McLaurin, Timothy [mailto:tMcLaurin@xxxxxxxxxxx] Sent: Thursday, July 27, 2006 3:50 PM
To: Jon R. Kibler; focus-ms@xxxxxxxxxxxxxxxxx
Cc: Drew Simonis
Subject: RE: Impact of removing administrative rights in an enterprise
running XP

I've done it for about 2,000 users and it was brutal. The technical
aspects of it was bad but even worse were the political. People can't
get used to the idea of not being able to do what they want when they
want. Especially the executive types. And we still gave them admin
accounts, they just had to use Run As... Support isn't all that easy
too because we had no idea who had what, and what was essential for
their job function. There are all kinds of stupid applications that
call for admin rights and once they are taken away it doesn't work
anymore. Filemon, Regmon, and SetACL were a staple during that time
period.



-----Original Message-----
From: Jon R. Kibler [mailto:Jon.Kibler@xxxxxxxx] Sent: Thursday, July 27, 2006 11:09 AM
To: focus-ms@xxxxxxxxxxxxxxxxx
Cc: Drew Simonis
Subject: Re: Impact of removing administrative rights in an enterprise
running XP

Drew Simonis wrote:




Hello all,
I wonder if anyone on the list who might work for a good sized




enterprise (10,000+ seats) has gone through the excercise of removing
administrative rights from the user community?




Aside from the effort to inventory all applications and ensure that




they work with restricted permissions, I forsee that such an effort
would likely require changes to the entire support model. Instead of
relying on users to install their own software, it would need to be


done


for them. New hardware would require intevention, etc.




If someone has completed this, was support a major new burden, or was




it not as difficult as it might be? If it was, how much of a burden


was


it (+ desktop support headcount? +helpdesk calls?)?




-Ds




Drew,

Have not done it in as large of an organization as you indicate, but
have TRIED to do it in smaller organizations -- and ran into MANY brick
walls. It is still a work-in-progress! Things are better, but we're not
there yet by any stretch at any organization that I am working with.

The primary issue is that A LOT of applications assume/require
administrative privilege to work. In reality, you can probably get
many/most to run with less than admin priv, but figuring out what is


the


minimum required is not an easy task. And don't expect the application
vendor to be any help either!

Trying to remove local admin priv is a trial-and-error process. A lot


of


apps will work most of the time, then one seldom-used feature breaks


it.


You would be surprised the apps that require privilege to run... many
big name ones, such as the Intuit product line. There was a discussion
on DShield a few months back on this topic, and several people named
names of applications with privilege problems (but nothing close to
scratching the surface!).

Good luck.

Oh, BTW, as you try this task, publishing a list of the required


minimum


privilege for each application would be a great help to everyone. I
wanted to do that, but my clients all objected.

Jon








--
Letting your vendors set your risk analysis these days? http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down...
http://blogs.technet.com/sbs


---------------------------------------------------------------------------
---------------------------------------------------------------------------



Relevant Pages

  • Re: Granting all users Admin Rights
    ... I am a Network Admin for Cuesta College and we are dealing with the same ... Techs to go to install every little piece of software on users computers. ... I believe that giving users Power Users rights is the best way ...
    (microsoft.public.win2000.security)
  • Re: Printer Problems
    ... he had the user rights to disable ... (default install behavior on xp), and it failed because DeskJet needs it ... If you create another admin on that system, you could see the problem again, ... > I manage a small network at a downtown Denver hotel. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: SImple Active Directory Setup Question
    ... Make sure that all your clients dns properties ALLWAYS use the DNS in your ... Level 1 - all rights, admin, etc. ... DNS entries in Network neighborhood ...
    (microsoft.public.windows.server.active_directory)
  • Re: Should I still buy SBS 2003 Premium w/ ISA in light of XP SP2s ICF2?
    ... Admin rights is a very simple story. ... relying upon the firewall to block accordingly the access to workstations, ... don't have the same level of packet-filtering in your favor that ISA ...
    (microsoft.public.windows.server.sbs)
  • Re: Granting all users Admin Rights
    ... I am responsible for the upkeep and security of 50 ... > Standard users can do everything they need without admin ... >>I am currently the network manager at a small college ... >>rights on their machines. ...
    (microsoft.public.win2000.security)