Re: Permissions (EVERYONE POST TO THIS)
From: Paul A. Mancuso (pm@intenseschool.com)
Date: 01/07/03
- Next message: Jeff Cochran: "Re: Permissions (EVERYONE POST TO THIS)"
- Previous message: hcj: "Re: Certificate Trust List"
- In reply to: Eric M: "Re: Permissions (EVERYONE POST TO THIS)"
- Next in thread: Jeff Cochran: "Re: Permissions (EVERYONE POST TO THIS)"
- Reply: Jeff Cochran: "Re: Permissions (EVERYONE POST TO THIS)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Paul A. Mancuso" <pm@intenseschool.com> Date: Tue, 7 Jan 2003 11:49:18 -0500
Eric,
Removing Admin rights from your users is the prudent thing to do. I do not
understand some people and their opinions regarding security. Most users
have no necessity to load applications at will (GPO's do just fine thank you
along with other application administration tools) nor install services
without the IT Administrator providing these services and applications. When
people begin to realize that the Firewall is only a beginning to security
and a user can let in anything and everything at will, security in
organizations will become more of a reality. True macro viruses introduced
through Outlook and other Office apps still require prudent users who are
aware of these issues and these will only get worse and more creative.
This isn't a battle as some have suggested here, but more a realization that
a central focus needs to be maintained and that users can bring in some
horrendous consequences on their own. For instance a user with Admin rights
has the ability to open up Active Scripting on his/her system and start a
fire from a control dl from the Internet. To justify that Knowledgeable
users across hundreds of users can be trained to not let this happen is a
bit of a stretch. Before you open up yourself to a nightmare, find out what
a user or department truly needs to do, and only allow what is needed not
what could be needed.
You allow one Hacker control of a desktop within your environment, and more
than likely that same IT admin that allowed Full Admin rights for all users
to their desktops, allows other what he/she would consider inconsequential
priveledes, and before you know it, you have lost control of your network.
As someone who works within this area, allow me one desktop, I will find a
way to own it all. Therefore, allowing users to run your network, (if you
allow them Admin rights to their desktop, you are basically allowing them to
run it since they can allow anything in to their system from the outside),
you will find yourself without a job someday.
My basic analogy that teaches the above point is this. We all pay Homeowners
Insurance with the hope we never have to use it, but we still pay it anyway.
Therefore protect your network the same and use the prudent protection
available to you and make your network functional without having "hundreds
of Desktop Admins".
And finally, to address another comment made here, IT Admins who are
careless and state that it works for them is fine, error on the side of
caution. It is your job as also stated here. I wouldn't want to be
explaining to my boss or more accurately my clients why something happened
and how easily it could have been avoided with some judicious common sense.
I would make note of that.
Paul A. Mancuso
"Eric M" <eirc_magidson@hotmail.com> wrote in message
news:04bd01c2b5e4$56697d00$d2f82ecf@TK2MSFTNGXA09...
> Jeff:
>
> Thank youfor your opinion: I think you miss understood
> the real question. I do not see any reason for a software
> package to not work correctly just because the user does
> not have administrative rights. Although, I do spend alot
> of time training users they still do not follow the
> requirements for downloading and I have been hit twice
> with viruses from users who stated they required admin
> rights. So I have to take hours to fix a problem that
> could have been aleviated if the user did not have those
> rights. Yes, the virus protection was up and running but
> they downloaded a worm that came to then in the form of a
> postcard.
>
> Regards,
> Eric
> >-----Original Message-----
> >>I am involved with a user group for a market specific
> >>application and we are currently discussing why not to
> set
> >>up users with administrative rights. Can you beleive
> how
> >>many people find this an acceptable practice?
> >
> >Totally opposite opinion here. We have several hundred
> desktops and
> >every single user is a local admin. We have zero issues
> with this.
> >We would rather educate the user than lock them out of
> anything, and
> >if anything, it's reduced support calls, not increased
> them. It's
> >also increased productivity, and users are always
> creating new ways to
> >get their jobs done better.
> >
> >But the key is to do what works and is required in *your*
> >organization. I don't allow other admins to dictate what
> we do,
> >nobody should. Our organization's circumstances
> determine our needs
> >and abilities.
> >
> >>I am a Network administrator and would never consider
> this
> >>an option.
> >
> >Perhaps because you see your job as being a network
> administrator, not
> >an overall part of your organization. Would you have
> this same
> >attitude if you looked at your network from all the other
> viewpoints?
> >
> >>REPLY AND REPLY OFTEN.
> >
> >And forward this to every one in your contact list...
> >
> >These four words tell me everything about your reasoning
> and your
> >outlook. When you lose the attitude that it's you
> against them,
> >you'll find you've won.
> >
> >Jeff
> >.
> >
- Next message: Jeff Cochran: "Re: Permissions (EVERYONE POST TO THIS)"
- Previous message: hcj: "Re: Certificate Trust List"
- In reply to: Eric M: "Re: Permissions (EVERYONE POST TO THIS)"
- Next in thread: Jeff Cochran: "Re: Permissions (EVERYONE POST TO THIS)"
- Reply: Jeff Cochran: "Re: Permissions (EVERYONE POST TO THIS)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
