RE: Removing Local Admin Rights...

• Previous message: Dave Gonsalves: "RE: Cisco CSA"
• Maybe in reply to: Jay Lopez: "Removing Local Admin Rights..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'security-basics@lists.securityfocus.com'" <security-basics@lists.securityfocus.com>, "'jlopez_si86@hotmail.com'" <jlopez_si86@hotmail.com>
Date: Fri, 28 May 2004 09:42:16 +0400

If you're referring to removing a user from the local Administrators group,
by all means go for it. Check out the software suite they're using (or are
supposed to be using) and make sure each program will run in a regular user
account. Most will unless badly written or requiring some special support.

When I took over my current sysadmin job, the first thing I did was to clean
up after the prior admin who allowed everyone to have admin rights on their
machines. There were some growing pains, but for the most part it works.
For those special cases where the user believes they need admin rights, I
have them submit the request in writing.. then I check to see if their
request is valid. Only then will I authorize local admin rights.

> -----Original Message-----
> From: Jay Lopez [mailto:jlopez_si86@hotmail.com]
> Sent: Tuesday, May 25, 2004 9:48 AM
> To: security-basics@lists.securityfocus.com
> Subject: Removing Local Admin Rights...
>
> I currently work for an organization with approximately
> 25,000 Windows
> XP/2000 desktops in an Active Directory (AD) environment.
> Security from an
> OS and individual application component (i.e., Outlook 2003,
> MS Office, IE,
> etc.) perspective is being managed via group policy objects (GPO's).
>
> Currently, we are pushing to remove local administrator
> access rights to
> individual machines to prevent users from randomly installing
> unapproved
> applications, prevent malware from being silently installed
> within the local
> administrator context, etc. Prior to our move to AD and
> GPO's, we received
> push-back on removing local admin rights for reasons such as
> the logon
> scripts would not work, etc.
>
> By chance, have any of you implemented any of the
> above--especially the
> removal of local administrator rights? If so, what support
> issues did you
> experience? What impact did removing local admin rights have?
>
> I'd like to provide as many pros and cons back to our team
> based on your
> feedback.
>
> Thanks in advance,
>
> Jay Lopez
>
> _________________________________________________________________
> FREE pop-up blocking with the new MSN Toolbar - get it now!
> http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
>
>
> --------------------------------------------------------------
> -------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and
> get $545 off
> any course! All of our class sizes are guaranteed to be 10
> students or less
> to facilitate one-on-one interaction with one of our expert
> instructors.
> Attend a course taught by an expert instructor with years of
> in-the-field
> pen testing experience in our state of the art hacking lab.
> Master the skills
>
> of an Ethical Hacker to better assess the security of your
> organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------
> --------------
>
>
>
>

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

• Previous message: Dave Gonsalves: "RE: Cisco CSA"
• Maybe in reply to: Jay Lopez: "Removing Local Admin Rights..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Removing Local Admin Rights... ... None of our users have admin rights. ... Subject: Removing Local Admin Rights... ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ... (Security-Basics) Re: Removing Local Admin Rights... ... I want to be able to add them to the domain and remove admin rights all at ... Subject: Removing Local Admin Rights... ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ... (Security-Basics) Re: AD - permissions on the network ... Change the local Administrator password to something difficult and never ... Use Group Policy Restricted Groups to add your IT Support guys to the ... Find out what the users think they need admin rights for, ... (microsoft.public.windows.server.active_directory) Re: Removing Local Admin Accounts - What do you think? ... people the necessary admin rights on the workstations, ... The local admin account poses a high risk in terms of workstations ... Does this pose a security risk to have a local administrator account on ... Is this a general best practice, from a security point of view? ... (Security-Basics) Removing Local Admin Rights... ... we are pushing to remove local administrator access rights to ... What impact did removing local admin rights have? ... of an Ethical Hacker to better assess the security of your organization. ... (Security-Basics)