Re: Windows Client and Server Security

From: Lanwench [MVP - Exchange] (lanwench_at_heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 01/23/05 

Date: Sun, 23 Jan 2005 12:05:01 -0500

Freddy wrote:
> Hello,
>
> My name is Freddy Bhagalia. I am working as a System Administrator in
> an Organisation. We are into Freight Forwarding business. We have 300
> plus Computers in our Organisation and I am the Administrator of
> these Computers.
>
> I was having a technical discussion with my boss (CIO of the
> Company). The discussion was on "Should we give Administrator rights
> of the local Computer, to the User who is the owner of that Computer.
>
> He thinks that we should give all the Users, Administrator rights.

Why?

>
> I am extremely against this and am arguably not in favour of that.
> According to me if the Admin rights of the Computer is been given to
> the Users, they can put serious problems to their own Computers and
> the Network. Ultimately, the Administrator has to face the music of
> the Users doings.

You're absolutely correct. There are way too many things users can do,
deliberately or inadvertently, if they have admin rights...or perhaps even
power user rights. A virus/trojan or malware/spyware that gets on the PC
will run under whatever rights the logged in user has....the user may try to
change the system clock, remove the computer from the domain, install
software (legal or no) that is not part of your standard build, and your
computers won't be standardized ...and standardization is really important,
especially with 300 computers - although even on small networks it's a good
thing from an admin perspective.
>
> Please let me know your views on the same as I am in a fix, on to go
> about what my boss had asked me for or should I be firm on my
> statement to my boss "Not to give Administrator Rights to the Users".

Turn this question on its head and ask him why he thinks they need it. Users
should have the least amount of privileges required to do their work -
that's just common sense.

If you have badly-written software that requires local admin rights, you can
use FileMon and RegMon from www.sysinternals.com to modify the registry &
file system so it will run under a limited user account.

>
> Regards
>
> Freddy.Bhagalia
>
> Jan 22
>
> email add: freddy@writercorporation.com

Relevant Pages

  • Re: Registry hack to disable password change
    ... anyone with admin rights could go in and make the change back to ... someone is an administrator, they can do whatever they want to ... they have administrative rights on the computer - other than encryption - ...
    (microsoft.public.security)
  • Re: Workstation Adm.-rights Domain
    ... > We have 200 computers driving Windows XP. ... All connected in a Windows ... I'd say it's a bad idea to grant any user any admin rights whatsoever. ... > member og the Local Administrator Group. ...
    (microsoft.public.windowsupdate)
  • Re: Best Default security group in AD for Tech. Support
    ... add this to the local Administrators group on the client computers. ... Our all technical support users are member of administrator ... group so by default they get administrator rights in SharePoint portal ... Where I have to move Tech Support users? ...
    (microsoft.public.win2000.active_directory)
  • RE: W2K Domain Selection
    ... Mind that the user on the domain and the one on the workstation are not the ... Also, domain administrators have administrator rights on all machines, the ... > Domain B eventhough you have admin rights on domain A. ...
    (Security-Basics)
  • Re: Prevent changes to Administrator password
    ... Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights. ... accounts with just domain admin rights so they have just enough rights ... The problem is that the other admins can change the root administrator ...
    (microsoft.public.windows.server.active_directory)