Re: Opinions needed on Windows Administrative Rights

From: Michael Pelletier (mjpelletier_at_mjpelletier.com)
Date: 05/18/05 

Date: Wed, 18 May 2005 10:10:40 -0700

Leythos wrote:

> In article <1116424563.284367.36480@f14g2000cwb.googlegroups.com>,
> syrjalab@gsilumonics.com says...
>> Greetings,
>>
>> I have a long running dispute with a consultant in my workplace over
>> administrative rights. I have googled the topic and sampled opinions,
>> but most are of the general "don't give users those rights" or "Windows
>> doesn't run too well if you don't give those rights" variety.
>>
>> I am of the opinion that only giving users "power user" rights
>> generates far more support calls than its worth and doesn't really
>> prevent viruses or malware from running. Every time I ask I get no
>> specific examples, and those machines that are locked down don't seem
>> to be any cleaner.
>>
>> Can anyone give more specific examples of why it is bad for users to
>> run as an administrator? I'm really trying to see that side of it,
>> but no one ever gives good examples... all I get is a shrieking "YOU
>> CAN'T GIVE USERS ANY RIGHTS! THEY'RE DUMB AND WILL SCREW UP THEIR
>> COMPUTERS!"
>
> You are not going to like my answer, but here it is:
>
> We have several clients that utilize outsourced (US) support only, they
> have no full time IT staff. Those clients have as many as 15 offices in
> several states, all connected to each other over dedicated VPN's with
> their own domain/servers in half of the offices. All workstations are
> setup with DOMAIN USERS in the "workstations" local administrators
> group. Now, all workstations are running Symantec Corporate Edition 9
> Groupware, all are behind a firewall that blocks select attachments in
> email, blocks active-x, blocks websites of a questionable nature. In
> more than 3 years we've not had one single machine compromised, not one
> issue with a user trashing a workstation. We've had a couple user
> install personal software, but it was detected and removed. Most of the
> users are non-technical, and it's working fine. Oh, we have over 387
> systems running like this with those clients.
>
> In the case of a development team, they must have local administrator
> rights or they won't be able to do their work efficiently.
>
> The only users I see screwing up their computers are ones on unprotected
> networks where web access is unfiltered, email is not stripped of
> malicious attachment, and where people are at home.
>
>
>

Sorry I but I disagree with your statements. Security best practices dictate
giving the minimum privileges necessary to complete the task. I have never
cam across an application that could not be made to run with "normal"
privileges by:

1) Find the resource is needs and prpvide the access using groups. Most of
the time, the application just needs access to a directory (for creating a
file, etc) and is trivially fixed using group access.

2) or using "run as"

Issuing local admin privs is dangerous because:

1) It limits your control on what software runs on the pcs. A lot of people
will simply grab a cd and install software even when they do not have
licenses for it (ever get audited? not very fun and it will be costly). We
also do not allow things like MSN messager, Yahoo, etc. If people had local
admin, they can easily bypass this...and how many security holes have been
in MSN messenger and yahoo? Many.

2) A lot of new viruses first go after anti-viruses by stopping the process
and installing itself. This can only be achieved if the user has admin
privs. If the user does not, the virus can not infect the pc. Remember
system admin 101, when you click on an executable and you are a local
admin, so is the executable...these types of viruses (that disable
anti-viruses first) are very, very dangerous when you have admin privs. In
short, with these types of viruses and local admin, make your anti-virus
worthless.

3) There has been a new wave of root toolkits for windows that are just
starting to come out. These types of viruses try to replace system binaries
(and parts of the kernel) with trojan like code. These will be the worst of
the viruses as you will not know (nor will the anti-virus) that you are
infected. As I said before, this is because they replace parts of the
kernel. Where do you think your anti-virus app gets it's info from? It gets
it from issuing calls to the kernel space. And if the kernel space has been
replaced with trojan like code? These types of viruses depend on the user
having local admin privs to install themseleves...

4) Many people do not know what they are doing, why give them the keys to
screw things up?

Sorry, I think this idea of "local admin of everyone" is the worst of the
worst of ideas...especially when you have things like "run as" to not need
it...

Michael 

-- 
"Trusted Computing" is a SCAM
http://www.gnu.org/philosophy/can-you-trust.html
Protect your rights
http://www.eff.org/Infrastructure/trusted_computing/20031001_tc.php
http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html

Relevant Pages