RE: Removing Local Admin Rights...

From: Craig, Jason (jcraig_at_ucdavis.edu)
Date: 06/01/04

  • Next message: David Gillett: "RE: ISP reconfiguring cable modem?"
    To: 'Faisal Masood' <faisyuet@wol.net.pk>, security-basics@lists.securityfocus.com
    Date: Tue, 1 Jun 2004 08:30:30 -0700 
    
    

    I'm a little concerned over the need to repair so many systems. We have a
    small devl shop with programmers running as local admin and I haven't had to
    touch one of their machines (except for upgrades, etc) in years. We try to
    educate our programmers and users alike as to best practices. Perhaps your
    users are doing things they shouldn't be?

    -jc

    -----Original Message-----
    From: Faisal Masood [mailto:faisyuet@wol.net.pk]
    Sent: Monday, May 31, 2004 1:43 PM
    To: simont@pop.co.za; 'Craig, Jason'
    Cc: security-basics@lists.securityfocus.com
    Subject: RE: Removing Local Admin Rights...
    Importance: High

    I'm working in a development environment. My developers need to register
    application DLLs most often. They also want to do ASP debugging, SQL
    debugging, MTS debugging.

    For these requirements I've to give my users local admin access. But result
    is that we get at least a system every week for repair.

    What is the solution to this issue?

    Regards
    Faisal Masood

    -----Original Message-----
    From: Simon Taplin [mailto:simont@pop.co.za]
    Sent: Saturday, May 29, 2004 8:37 PM
    To: Craig, Jason
    Cc: security-basics@lists.securityfocus.com
    Subject: Re: Removing Local Admin Rights...

    Most of the Adobe products don't run properly unless the User is part of the
    Power User Groups or higher for whatever reason. I remember that InDesign
    1.5 needed to install Japanese fonts if the user was part of the Users
    group.

    Simon

    Craig, Jason wrote:

    > Jay,
    >
    > None of our users have admin rights. Most apps will run fine. We've
    > run into quirks with label printer software, and the usual problems
    > with Adobe apps but we've been able to make things run without any
    > problems. Most things are well documented, and if they're not regmon
    > and filemon are your friends. We've been running this way for 3+
    > years and it has made our lives much easier.
    >
    > -j
    > -----Original Message-----
    > From: KEN MORRIS [mailto:KMORRIS@kpl.org] Sent: Tuesday, May 25, 2004
    > 12:42 PM
    > To: Jay Lopez; security-basics@lists.securityfocus.com
    > Subject: RE: Removing Local Admin Rights...
    >
    > Jay,
    > First thing I would do would be to check to see if there is any non-M$
    > programs installed that are needed in the organization. IF there are,
    > thoroughly test those programs under both O/S before removing local
    > admin rights. Some software will run only under local admin user
    > accounts. I have tried here and found that in certain programs there
    > is no work around other than local admin to allow users to run the
    > software. Even setting them as power users does not work.
    > Regards,
    > Ken
    >
    > -----Original Message-----
    > From: Jay Lopez [mailto:jlopez_si86@hotmail.com]
    > Sent: Tuesday, May 25, 2004 9:48 AM
    > To: security-basics@lists.securityfocus.com
    > Subject: Removing Local Admin Rights...
    >
    > I currently work for an organization with approximately 25,000 Windows
    > XP/2000 desktops in an Active Directory (AD) environment. Security
    > from
    an
    > OS and individual application component (i.e., Outlook 2003, MS
    > Office,
    IE,
    > etc.) perspective is being managed via group policy objects (GPO's).
    >
    > Currently, we are pushing to remove local administrator access rights
    > to individual machines to prevent users from randomly installing
    > unapproved applications, prevent malware from being silently installed
    > within the local administrator context, etc. Prior to our move to AD
    > and GPO's, we
    received
    > push-back on removing local admin rights for reasons such as the logon
    > scripts would not work, etc.
    >
    > By chance, have any of you implemented any of the above--especially
    > the removal of local administrator rights? If so, what support issues
    > did you experience? What impact did removing local admin rights have?
    >
    > I'd like to provide as many pros and cons back to our team based on
    > your feedback.
    >
    > Thanks in advance,
    >
    > Jay Lopez
    >
    > _________________________________________________________________
    > FREE pop-up blocking with the new MSN Toolbar - get it now!
    > http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
    >
    >
    >
    ---------------------------------------------------------------------------
    > Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
    > off any course! All of our class sizes are guaranteed to be 10
    > students or
    less
    > to facilitate one-on-one interaction with one of our expert instructors.
    > Attend a course taught by an expert instructor with years of
    > in-the-field pen testing experience in our state of the art hacking
    > lab. Master the skills
    >
    > of an Ethical Hacker to better assess the security of your organization.
    > Visit us at:
    > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    >
    ----------------------------------------------------------------------------

    >
    >
    >
    >
    >
    >
    ---------------------------------------------------------------------------
    > Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
    > off any course! All of our class sizes are guaranteed to be 10
    > students or
    less
    > to facilitate one-on-one interaction with one of our expert instructors.
    > Attend a course taught by an expert instructor with years of
    > in-the-field pen testing experience in our state of the art hacking
    > lab. Master the skills of an Ethical Hacker to better assess the
    > security of your organization. Visit us at:
    > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    >
    ----------------------------------------------------------------------------

    >
    >
    >
    ---------------------------------------------------------------------------
    > Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
    > off any course! All of our class sizes are guaranteed to be 10
    > students or less to facilitate one-on-one interaction with one of our
    > expert instructors. Attend a course taught by an expert instructor
    > with years of in-the-field pen testing experience in our state of the
    > art hacking lab. Master the skills of an Ethical Hacker to better
    > assess the security of your organization. Visit us at:
    > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    >
    ----------------------------------------------------------------------------

    >
    >
    > ---
    > Incoming mail is certified Virus Free.
    > Checked by AVG anti-virus system (http://www.grisoft.com).
    > Version: 6.0.550 / Virus Database: 342 - Release Date: 2003/12/09
    >
    >

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the
    skills of an Ethical Hacker to better assess the security of your
    organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------


  • Next message: David Gillett: "RE: ISP reconfiguring cable modem?"