Re: Opinions needed on Windows Administrative Rights
From: andy smart (anonymus_at_discussions.microsoft.com)
Date: 05/18/05
- Next message: Michael Pelletier: "Re: Opinions needed on Windows Administrative Rights"
- Previous message: Michael Pelletier: "Re: Password question"
- In reply to: Michael Pelletier: "Re: Opinions needed on Windows Administrative Rights"
- Next in thread: Michael Pelletier: "Re: Opinions needed on Windows Administrative Rights"
- Reply: Michael Pelletier: "Re: Opinions needed on Windows Administrative Rights"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 18 May 2005 22:57:58 +0100
Michael Pelletier wrote:
> andy smart wrote:
>
>
>>Michael Pelletier wrote:
>>
>>>Leythos wrote:
>>>
>>>
>>>
>>>>In article <1116424563.284367.36480@f14g2000cwb.googlegroups.com>,
>>>>syrjalab@gsilumonics.com says...
>>>>
>>>>
>>>>>Greetings,
>>>>>
>>>>>I have a long running dispute with a consultant in my workplace over
>>>>>administrative rights. I have googled the topic and sampled opinions,
>>>>>but most are of the general "don't give users those rights" or "Windows
>>>>>doesn't run too well if you don't give those rights" variety.
>>>>>
>>>>>I am of the opinion that only giving users "power user" rights
>>>>>generates far more support calls than its worth and doesn't really
>>>>>prevent viruses or malware from running. Every time I ask I get no
>>>>>specific examples, and those machines that are locked down don't seem
>>>>>to be any cleaner.
>>>>>
>>>>>Can anyone give more specific examples of why it is bad for users to
>>>>>run as an administrator? I'm really trying to see that side of it,
>>>>>but no one ever gives good examples... all I get is a shrieking "YOU
>>>>>CAN'T GIVE USERS ANY RIGHTS! THEY'RE DUMB AND WILL SCREW UP THEIR
>>>>>COMPUTERS!"
>>>>
>>>>You are not going to like my answer, but here it is:
>>>>
>>>>We have several clients that utilize outsourced (US) support only, they
>>>>have no full time IT staff. Those clients have as many as 15 offices in
>>>>several states, all connected to each other over dedicated VPN's with
>>>>their own domain/servers in half of the offices. All workstations are
>>>>setup with DOMAIN USERS in the "workstations" local administrators
>>>>group. Now, all workstations are running Symantec Corporate Edition 9
>>>>Groupware, all are behind a firewall that blocks select attachments in
>>>>email, blocks active-x, blocks websites of a questionable nature. In
>>>>more than 3 years we've not had one single machine compromised, not one
>>>>issue with a user trashing a workstation. We've had a couple user
>>>>install personal software, but it was detected and removed. Most of the
>>>>users are non-technical, and it's working fine. Oh, we have over 387
>>>>systems running like this with those clients.
>>>>
>>>>In the case of a development team, they must have local administrator
>>>>rights or they won't be able to do their work efficiently.
>>>>
>>>>The only users I see screwing up their computers are ones on unprotected
>>>>networks where web access is unfiltered, email is not stripped of
>>>>malicious attachment, and where people are at home.
>>>>
>>>>
>>>>
>>>
>>>
>>>Sorry I but I disagree with your statements. Security best practices
>>>dictate giving the minimum privileges necessary to complete the task. I
>>>have never cam across an application that could not be made to run with
>>>"normal" privileges by:
>>>
>>>1) Find the resource is needs and prpvide the access using groups. Most
>>>of the time, the application just needs access to a directory (for
>>>creating a file, etc) and is trivially fixed using group access.
>>>
>>>2) or using "run as"
>>>
>>>Issuing local admin privs is dangerous because:
>>>
>>>1) It limits your control on what software runs on the pcs. A lot of
>>>people will simply grab a cd and install software even when they do not
>>>have licenses for it (ever get audited? not very fun and it will be
>>>costly). We also do not allow things like MSN messager, Yahoo, etc. If
>>>people had local admin, they can easily bypass this...and how many
>>>security holes have been in MSN messenger and yahoo? Many.
>>>
>>>2) A lot of new viruses first go after anti-viruses by stopping the
>>>process and installing itself. This can only be achieved if the user has
>>>admin privs. If the user does not, the virus can not infect the pc.
>>>Remember system admin 101, when you click on an executable and you are a
>>>local admin, so is the executable...these types of viruses (that disable
>>>anti-viruses first) are very, very dangerous when you have admin privs.
>>>In short, with these types of viruses and local admin, make your
>>>anti-virus worthless.
>>>
>>>3) There has been a new wave of root toolkits for windows that are just
>>>starting to come out. These types of viruses try to replace system
>>>binaries (and parts of the kernel) with trojan like code. These will be
>>>the worst of the viruses as you will not know (nor will the anti-virus)
>>>that you are infected. As I said before, this is because they replace
>>>parts of the kernel. Where do you think your anti-virus app gets it's
>>>info from? It gets it from issuing calls to the kernel space. And if the
>>>kernel space has been replaced with trojan like code? These types of
>>>viruses depend on the user having local admin privs to install
>>>themseleves...
>>>
>>>4) Many people do not know what they are doing, why give them the keys to
>>>screw things up?
>>>
>>>Sorry, I think this idea of "local admin of everyone" is the worst of the
>>>worst of ideas...especially when you have things like "run as" to not
>>>need it...
>>>
>>>
>>>
>>>Michael
>>
>>Just leaping off at a bit of a tangent here... We have some (ancient)
>>applications which will only run if the user is a power user - we never
>>have to make 'em local machine admins. We'd rather they didn't have to
>>have these rights but they need them to work - any good resources you
>>know of where we could find out more about some of the ideas you've
>>suggested?
>
>
>
> Honestly, I you need to research the application most of the times, like I
> said, it needs access to a file or directory. Which is easily fixed with
> groups. I would contact the vendor or do some googling...
>
> Michael
Thanks Micheal, I'll work on it.
In most cases these packages were written by the system managers for
schools who've now moved on or by companies long since gone to the big
code lab in the sky. So I think I'm on my own!
- Next message: Michael Pelletier: "Re: Opinions needed on Windows Administrative Rights"
- Previous message: Michael Pelletier: "Re: Password question"
- In reply to: Michael Pelletier: "Re: Opinions needed on Windows Administrative Rights"
- Next in thread: Michael Pelletier: "Re: Opinions needed on Windows Administrative Rights"
- Reply: Michael Pelletier: "Re: Opinions needed on Windows Administrative Rights"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
