Re: Applying SAFER policies via GPO, is this the right newsgroup to post in

If you want your users to have the ability to install and run programs, then
local admin with Internet is the way to go. In a small business (< 100
employees) we do not have the time or money to employ a huge IT dept with
help desk. Prefer to train users properly (SANS classes are great) and give
them local admin privileges. For secretaries and support personnel I agree;
they only have user privileges. But most other users (especially laptop
users and engineers) need local admin rights.

Easier to lock down the internet facing programs, as that is where 100% of
the attack vectors come from anyway. IE, Firefox, Outlook, Outlook Express,
WMP, Real, Quicktime, etc.

Although these days it looks like all programs communicate with the Internet
:)


"NickvW" <me@xxxxxxxxxxx> wrote in message
news:O$3EXZBVGHA.1688@xxxxxxxxxxxxxxxxxxxxxxx

"Edward Ray" <ewray@xxxxxxxxxxxxxxxx> wrote in message
news:%23n6K8qpUGHA.5808@xxxxxxxxxxxxxxxxxxxxxxx
Are you saying that GPR shows these extensions to SAFER but that GPM
doesn't?

Yes!
I've always used GPR wherever possible for troubleshooting GPO application
(or not).

Just goes to show these RSoP simulations are just that.

BTW, don't you think that logging on with an ordinary user account and
then using runas with shortcuts, mmc etc is a better way to go than
logging on as an admin then relying on SAFER to limit the privileges of
'dangerous' processes that you start in that session?

I'd be interested to know what the business need is that requires an admin
to always be logged on as an admin. I would create two accounts.




.

Relevant Pages

  • Security problem
    ... found settings to do things like "Remove Run menu from ... BUT the local admin? ... >protect internet access for. ... The computers I am sharing ...
    (microsoft.public.windowsxp.security_admin)
  • Security problem
    ... I have a computer that is constantly sharing the internet ... It also has 2 local users. ... local admin, the other I want to block or password ...
    (microsoft.public.windowsxp.security_admin)
  • Re: SBS 2003 XP Client SP2 add new user with user rights cant use
    ... the targeted domain user was added to the ... If you feel comfortable with the users having local admin privileges, ... can add the domain users group to the local administrators group. ...
    (microsoft.public.windows.server.sbs)
  • Re: local admin vs group policy and apps...
    ... Administrators without explicitly granting the end user the same privileges. ... local admin vs group policy and apps... ... > We have two apps (even calling them legacy seems to attribute some ... or even given the runas power to run the app can still be ...
    (Focus-Microsoft)
  • RE: Impact of removing administrative rights in an enterpriserunning XP
    ... Impact of removing administrative rights in an enterpriserunning XP ... Impact of removing administrative rights in an enterprise ... Set programs that need to run with administrative privileges to do so. ... For systems where users must have local admin privileges we can set ...
    (Focus-Microsoft)