Re: Security best practice help!!! local admin addition!
From: Philip Nunn (bigphil_at_newsgroups.nospam)
Date: 01/07/05
- Next message: Prasanna: "Re: IE6 default homepage"
- Previous message: Wesley Vogel: "Re: Seeking recommendations on a Registery Cleaner"
- In reply to: Chris Weber [Security MVP]: "Re: Security best practice help!!! local admin addition!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 6 Jan 2005 16:36:15 -0800
Thanks for all the good input guys! I will print this out and let them read
what the real pro's thought about this idea!
Thanks,
Phil
"Chris Weber [Security MVP]" <chris@dev.nul> wrote in message
news:%23$2ocpv8EHA.1524@TK2MSFTNGP09.phx.gbl...
> That's like being taking a group of 20 children to the amusement park,
> then letting them run loose and hoping they come back. Not very
> responsible. It's often done in development environments, but believe me
> there are better practical ways. Giving everyone admin rights can wreak
> havok on network security.
>
> My personal favorite is how local administrators can see in plain c l e a
> r t e x t all of the service account passwords on the machine.
>
> Consider the following scenario which I have personally taken advantage of
> 100 times at various client networks, and extremely large ones.
> 1. Domain administrators need to run backup software across the network
> 2. Backup software needs to install a backup agent "service" on every
> workstation
> 3. This service runs as a Domain Admin account
> 4. Where is that Domain Admin password stored now? If you guessed in the
> "protected" Registry of every workstation, you're right! Furthermore, any
> administrator of any workstation can easily access that password in plain
> clear text.
>
> There, now everyone's a Domain Admin - is that productivity?
>
> /Chris
>
>
>
> "Philip Nunn" <bigphil@newsgroups.nospam> wrote in message
> news:eVmeUhc8EHA.3476@TK2MSFTNGP15.phx.gbl...
>> Hello everyone,
>>
>> I would like everyones opinion on a subject of extreme importance to me.
>> Right now my companies computers are setup so that all users are ONLY
>> members of the local users group to enforce security accross the network,
>> reduce support costs and is an overal good practice to follow. This is
>> all about to change for me. We are in the process of consolodating
>> domain and with this my IT managers want to add everyone to make them
>> members of the local administrators group!!! I strongly disagree with
>> this and did not make this recommendation. I am trying to prevent this
>> from happening to my network as I dont think this is in the best interest
>> for the network/company. Please give me your opinions on this and what
>> your companies do. Any links to articles with reasons why this is not a
>> good idea would be greatly appreciated and MVP/MSFT person's opinions
>> would be great!
>>
>> Phil
>>
>
>
- Next message: Prasanna: "Re: IE6 default homepage"
- Previous message: Wesley Vogel: "Re: Seeking recommendations on a Registery Cleaner"
- In reply to: Chris Weber [Security MVP]: "Re: Security best practice help!!! local admin addition!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
