RE: Removing Local Admin Rights...

• Previous message: Kenzo: "need graph of connection type"
• Maybe in reply to: Jay Lopez: "Removing Local Admin Rights..."
• Next in thread: Barrie Dempster: "Re: Removing Local Admin Rights..."
• Reply: Barrie Dempster: "Re: Removing Local Admin Rights..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 25 May 2004 15:42:20 -0400
To: "Jay Lopez" <jlopez_si86@hotmail.com>, <security-basics@lists.securityfocus.com>

Jay,
First thing I would do would be to check to see if there is any non-M$
programs installed that are needed in the organization. IF there are,
thoroughly test those programs under both O/S before removing local admin
rights.
Some software will run only under local admin user accounts. I have tried
here and found that in certain programs there is no work around other than
local admin to allow users to run the software. Even setting them as power
users does not work.
Regards,
Ken

-----Original Message-----
From: Jay Lopez [mailto:jlopez_si86@hotmail.com]
Sent: Tuesday, May 25, 2004 9:48 AM
To: security-basics@lists.securityfocus.com
Subject: Removing Local Admin Rights...

I currently work for an organization with approximately 25,000 Windows
XP/2000 desktops in an Active Directory (AD) environment. Security from an
OS and individual application component (i.e., Outlook 2003, MS Office, IE,
etc.) perspective is being managed via group policy objects (GPO's).

Currently, we are pushing to remove local administrator access rights to
individual machines to prevent users from randomly installing unapproved
applications, prevent malware from being silently installed within the local
administrator context, etc. Prior to our move to AD and GPO's, we received
push-back on removing local admin rights for reasons such as the logon
scripts would not work, etc.

By chance, have any of you implemented any of the above--especially the
removal of local administrator rights? If so, what support issues did you
experience? What impact did removing local admin rights have?

I'd like to provide as many pros and cons back to our team based on your
feedback.

Thanks in advance,

Jay Lopez

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar - get it now!
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills

of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

• Previous message: Kenzo: "need graph of connection type"
• Maybe in reply to: Jay Lopez: "Removing Local Admin Rights..."
• Next in thread: Barrie Dempster: "Re: Removing Local Admin Rights..."
• Reply: Barrie Dempster: "Re: Removing Local Admin Rights..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: How to block users from installing other apps ... How to block users from installing other apps ... and add their domain account to the local admin group. ... (Focus-Microsoft) RE: Removing Local Admin Rights... ... rights, install, configure and take away admin rights. ... Subject: Removing Local Admin Rights... ... > our expert instructors. ... > Attend a course taught by an expert instructor with years of ... (Security-Basics) Re: Clip Art Error 0x8007000E Not enough memory ... I added them to the local admin group. ... > downloading these two files and installing them onto ... > I am able to insert Clip Art when I login to the TS ... (microsoft.public.windows.server.sbs) Re: Should users be local admins? ... If your environment is one where you maintain a corporate desktop, ... > virtually universal practice to give engineers local admin rights. ... > developers, and they shouldn't be developing on their 'work' PCs. ... (microsoft.public.windows.server.security) RE: How to find the users with local admin rights? ... How to find the users with local admin rights? ... Cenzic Hailstorm finds vulnerabilities fast. ... Click the link to buy it, try it or download Hailstorm for FREE. ... (Pen-Test)