Re: Using Admin Privileges while surfing the Internet

Hi Michael,

Does anyone know a published benchmark / standard
that will help me decide (and argue) - is it ok using admin
while surfing the internet.
I've found a handful of arguments for this practice, though I oppose
it. Leave users as users (principle of least privilege). There are
enough bad programs trying to escalate privileges - there's no need to
do their work for them.

Part of the problem is that Webmasters, who love [crap?] like Flash,
VBScript, JavaScript, and other binary junk such as ActiveX, don't
realize/understand/care about security from an organizations
perspective. So an organization will allow a user to become local
admin so that they can cruise the web (i.e., install Flash on the fly,
install an ActiveX control on the fly, etc).

The other 'handful of arguments' include things such as: in the
pre-Vista days, a laptop user needed local admin to change the time
zone during travel.

I believe you will find others recommend against the practice. For
example, in the Federal arena, NIST 800-68 (Guide to Securing
Microsoft Windows XP Systems for IT Professionals) does not recommend
the practice. See, for example, Section 2.3.1.2 or 2.3.1.3.

Jeff

On 5/25/09, Menny.b@xxxxxxxxx <Menny.b@xxxxxxxxx> wrote:
Hello,

I've recently reviewed the network settings of a small-medium business (about 70 workstations running XP Sp3).

I've found that the internal network is connected to the internet thought a firewall, and all of the users have (local) administrative privileges on their workstation.

Does anyone know a published benchmark / standard that will help me decide (and argue) - is it ok using admin while surfing the internet.

Thanks,
Michael.


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------

Relevant Pages

  • Re: Family Computer Accountability
    ... Nice set of advisories Robear. ... set the accounts so that they cannot change their own password. ... Have a serious talk with your son about his internet use (remembering ... AumHa VSOP & Admin; DTS-L.org ...
    (microsoft.public.security)
  • Re: Making internet connection available to all users on win2k?
    ... > I am trying to make my win2k pro machine more secure due to recent ... > times except when I need to install stuff. ... > the internet just fine while logged in as Administrator, ... > to my restricted account so that the only time I log in as Admin is ...
    (microsoft.public.win2000.general)
  • Re: Accessing the Internet under with admin. rights...
    ... >> Given that it is best to access the internet not with admin. ... > <checks to see if she has administrator rights on the Internet itself by ... > login using the 'wrong' account). ...
    (microsoft.public.windowsxp.security_admin)
  • THANKS! Re: MS Support viewing difficulty
    ... I don't use magnifier, ... the Admin account and all was fine, ... internet are my only solid and semi-reliable contact ... Click the Accessibility button. ...
    (microsoft.public.windowsxp.newusers)
  • New Book: PRACTICAL HANDBOOK OF INTERNET COMPUTING
    ... PRACTICAL HANDBOOK OF INTERNET COMPUTING ... This handbook is designed to fill the above need. ... Manuel Aparicio IV and Munindar P. Singh, Concepts and Practice ...
    (comp.programming)