Re: Opinions needed on Windows Administrative Rights

From: andy smart (anonymus_at_discussions.microsoft.com)
Date: 05/18/05 

Date: Wed, 18 May 2005 20:13:49 +0100

Michael Pelletier wrote:
> Leythos wrote:
>
>
>>In article <1116424563.284367.36480@f14g2000cwb.googlegroups.com>,
>>syrjalab@gsilumonics.com says...
>>
>>>Greetings,
>>>
>>>I have a long running dispute with a consultant in my workplace over
>>>administrative rights. I have googled the topic and sampled opinions,
>>>but most are of the general "don't give users those rights" or "Windows
>>>doesn't run too well if you don't give those rights" variety.
>>>
>>>I am of the opinion that only giving users "power user" rights
>>>generates far more support calls than its worth and doesn't really
>>>prevent viruses or malware from running. Every time I ask I get no
>>>specific examples, and those machines that are locked down don't seem
>>>to be any cleaner.
>>>
>>>Can anyone give more specific examples of why it is bad for users to
>>>run as an administrator? I'm really trying to see that side of it,
>>>but no one ever gives good examples... all I get is a shrieking "YOU
>>>CAN'T GIVE USERS ANY RIGHTS! THEY'RE DUMB AND WILL SCREW UP THEIR
>>>COMPUTERS!"
>>
>>You are not going to like my answer, but here it is:
>>
>>We have several clients that utilize outsourced (US) support only, they
>>have no full time IT staff. Those clients have as many as 15 offices in
>>several states, all connected to each other over dedicated VPN's with
>>their own domain/servers in half of the offices. All workstations are
>>setup with DOMAIN USERS in the "workstations" local administrators
>>group. Now, all workstations are running Symantec Corporate Edition 9
>>Groupware, all are behind a firewall that blocks select attachments in
>>email, blocks active-x, blocks websites of a questionable nature. In
>>more than 3 years we've not had one single machine compromised, not one
>>issue with a user trashing a workstation. We've had a couple user
>>install personal software, but it was detected and removed. Most of the
>>users are non-technical, and it's working fine. Oh, we have over 387
>>systems running like this with those clients.
>>
>>In the case of a development team, they must have local administrator
>>rights or they won't be able to do their work efficiently.
>>
>>The only users I see screwing up their computers are ones on unprotected
>>networks where web access is unfiltered, email is not stripped of
>>malicious attachment, and where people are at home.
>>
>>
>>
>
>
> Sorry I but I disagree with your statements. Security best practices dictate
> giving the minimum privileges necessary to complete the task. I have never
> cam across an application that could not be made to run with "normal"
> privileges by:
>
> 1) Find the resource is needs and prpvide the access using groups. Most of
> the time, the application just needs access to a directory (for creating a
> file, etc) and is trivially fixed using group access.
>
> 2) or using "run as"
>
> Issuing local admin privs is dangerous because:
>
> 1) It limits your control on what software runs on the pcs. A lot of people
> will simply grab a cd and install software even when they do not have
> licenses for it (ever get audited? not very fun and it will be costly). We
> also do not allow things like MSN messager, Yahoo, etc. If people had local
> admin, they can easily bypass this...and how many security holes have been
> in MSN messenger and yahoo? Many.
>
> 2) A lot of new viruses first go after anti-viruses by stopping the process
> and installing itself. This can only be achieved if the user has admin
> privs. If the user does not, the virus can not infect the pc. Remember
> system admin 101, when you click on an executable and you are a local
> admin, so is the executable...these types of viruses (that disable
> anti-viruses first) are very, very dangerous when you have admin privs. In
> short, with these types of viruses and local admin, make your anti-virus
> worthless.
>
> 3) There has been a new wave of root toolkits for windows that are just
> starting to come out. These types of viruses try to replace system binaries
> (and parts of the kernel) with trojan like code. These will be the worst of
> the viruses as you will not know (nor will the anti-virus) that you are
> infected. As I said before, this is because they replace parts of the
> kernel. Where do you think your anti-virus app gets it's info from? It gets
> it from issuing calls to the kernel space. And if the kernel space has been
> replaced with trojan like code? These types of viruses depend on the user
> having local admin privs to install themseleves...
>
> 4) Many people do not know what they are doing, why give them the keys to
> screw things up?
>
> Sorry, I think this idea of "local admin of everyone" is the worst of the
> worst of ideas...especially when you have things like "run as" to not need
> it...
>
>
>
> Michael

Just leaping off at a bit of a tangent here... We have some (ancient)
applications which will only run if the user is a power user - we never
have to make 'em local machine admins. We'd rather they didn't have to
have these rights but they need them to work - any good resources you
know of where we could find out more about some of the ideas you've
suggested?

Relevant Pages

  • Re: Repost: Linux is Secure - HAHA, Maybe not!!
    ... > Too bad there is no anti-virus on Linux and that 100% of users are ... Do you really mean that clamav, which has stopped 40 viruses on ... my linux network of 4 clients in a week, ...
    (comp.os.linux.security)
  • RE: Asp.Net 2.0 Multiple Application Solutions
    ... we can separate our web application into ... frontend user and backend admin, and admin can access those pages that ... The 2 entities (Admins and Clients) are separate objects in the data model ... Both websites need to make ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Opinions needed on Windows Administrative Rights
    ... >> CAN'T GIVE USERS ANY RIGHTS! ... Issuing local admin privs is dangerous because: ... A lot of new viruses first go after anti-viruses by stopping the process ...
    (comp.security.misc)
  • Re: Office Update / Administrative Install Problem
    ... I applied the update to the clients ... following the directions that came with the admin patch. ... Application of patch to admin install: ...
    (microsoft.public.officeupdate)
  • Office 2k3 admin update - clients
    ... i have deployed office 2003 via admin installation point. ... clients have "user rights", not admin rights ... user so i do not need to log on the user computer as administrator ...
    (microsoft.public.officeupdate)