Re: Network Computer Games on Business Machines

Malke,

We had to give users a local admin account for their laptops as they are software consultants, so they often have to install & uninstall different software when out of the office, which means we can't do it for them. The general accounts that they use for everyday work aren't local admin, but they do have access to another account on the laptop.

I've already spoken to our IT Ops director about removing this access from non consultant laptops, like sales, marketing & hr etc
Not an acceptable solution. Your security is seriously lax. Consider installing virtualization software such as VMWare or Virtual PC 2007 with a virtual machine running whatever operating system is needed instead for software demonstrations. Or have separate laptops for the software consultants which don't connect to your network.

Domain users should never, never, never be local administrators. Never. There is always a way around this.

BTW, PA Bear's question is a good one. What's your role in this?

Malke,

I did try to get VM workstation on all the development machines last year, however this brought up 2 problems:
1) The software that they run is very memory hungry, needing more than 1GB, all our existing laptops (Dell) have the max 2GB installed, (I think the newer laptops Dell are producing will go up to 4GB). We found that running a VM machine became very slow, as you required 512mb for the base O/S, another 512mb for the VM O/S, which left only 1GB for the software, the bare minimum needed to run it!
2) Because we'd be running another Windows XP license in the VM machine, this meant we'd have to buy another 15 - 20 WinXP Pro licenses, which is what....£100 oem? (I think it was £150 last time I looked, before Vista came out.) So £2,000 total. Give the financial/IT Ops director a choice between spending £2,000 or giving people local admin rights, and he's going to take the latter option every time!

Ben

P.S. I have replied to PA Bear's question.
It seems to boil down to how much money they are willing to spend.

Present it as a risk analysis - how much will it cost to fix a major problem versus how much to prevent it in the first place. There are plenty of news stories of how much financial damage is caused by malware and viruses, not to mention corporate data lost and/or stolen.

Does the home office go through a proxy, or connect straight to the internet? My company, much larger than your 30 people, goes through a proxy and has blacklisted undesirable sites. Undesirable sites now include web-based email since someone let a virus loose that 'killed' about 35 machines; they required hard drive replacement (it was quicker to physically swap-out the HD's) and OS re-installation, about 30 person-hours per machine, and all local data lost. Just one incident like that would cripple your company.

--
I'm glad my Mom named me Aaron,
That's what everybody calls me.

Hi Aaron,

I think you're right, at the moment its easier for management to think of reasons not to spend money, rather than reasons to spend it. I need to sit down and write a risk analysis report as you said, then see if they'll release some funds for extra XP licenses or something.

We currently use MS ISA 2006 as our firewall, which stops, touch wood, inbound attacks, but this doesn't protect against someone internally bringing something dangerous in from the outside. We used to run McAfee AV for ISA, but that caused major headaches, so we removed it. I'm currently trying to get a budget for Bitdefender for ISA, so at least some basic AV scanning is taking place on the firewall.

The clients themselves are all running Symantec Client Security, which isn't bad, BUT I've found it lures people into a false sense of security, because our users now think 'we have AV & firewall running, we're 100% safe so it doesn't matter if I accidentally download/install something dodgy'. I've used group policy to add a few known dodgy sites to the restricted sites zone in IE, but that doesn't block access totally, just what scripts and controls it can use.

Ben

Or: Point out that Ubuntu linux is more secure, and free. :)

--
I'm glad my Mom named me Aaron,
That's what everybody calls me.
.

Relevant Pages

  • Re: Network Computer Games on Business Machines
    ... We had to give users a local admin account for their laptops as they ... local admin, but they do have access to another account on the laptop. ... software consultants which don't connect to your network. ...
    (microsoft.public.security)
  • Re: Network Computer Games on Business Machines
    ... We had to give users a local admin account for their laptops as they are software consultants, so they often have to install & uninstall different software when out of the office, which means we can't do it for them. ...
    (microsoft.public.security)
  • Re: Network Computer Games on Business Machines
    ... We had to give users a local admin account for their laptops as they are software consultants, so they often have to install & uninstall different software when out of the office, which means we can't do it for them. ...
    (microsoft.public.security)
  • Re: Network Computer Games on Business Machines
    ... We had to give users a local admin account for their laptops as they are ... consultants which don't connect to your network. ...
    (microsoft.public.security)
  • Re: Domain Profiles Borked - Cant Grant Admin Rights - HELP!!!
    ... > status of their account. ... local Admin rights were given to ... > afflicted machine and give them local Admin rights, ... the SID of your users is no longer the same as it was. ...
    (microsoft.public.windowsxp.setup_deployment)