Re: Least User Priviledges for Network Administrators

While implementing the principle of least privilege is a noble goal I think
you might be over doing it with that group of users. Most likely they are
all highly trained competent people very knowledgeable about computers and
people you already trust as they have access to very sensitive areas of your
network.

Consider the unintended consequences of trying to limit such a group which
could include reduced productivity, missing deadlines, bad for morale, and
they feeling untrusted and incompetent. Also being a local administrator
does not give a user any additional access to the domain assuming basic best
practices for securing the domain are being used..

I am all for PLUP for the average user that will try to install harmful
software on their computer which could even lead to a backdoor to your
network, disable Windows Updates because they read somewhere it would slow
their computer down, change settings they know nothing about, disable
malware protection because they can not access some stupid website, creating
shares so their buddy can access their computer, etc. All this can greatly
impact their productivity and increase IT costs cleaning up the mess.

Having said that the ways you can increase a regular users access is so
modify access control lists [registry/NTFS], grant permissions to needed
services [can be done via Group Policy], add to privileged groups other than
administrators, and to grant user rights above what regular users have [via
Group Policy]. Unfortunately there are many tasks that simply can not be
granted to a regular user no matter what you try as usually evidenced by
object access failures in the security log when auditing of object access is
enabled. There is not set plan so you will have to do a ton of trial and
error footwork to see if you can accomplish what you want but I am doubtful
it can be done with the needs of your network technology group. Training
users that need administrator access to logon as a regular user and then use
runas when they need admin powers is a good practice.

http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx --
this may be of interest



"Thomas M." <NoEmailReplies@xxxxxxxxxx> wrote in message
news:uve%23SSeEIHA.5604@xxxxxxxxxxxxxxxxxxxxxxx
XP SP2

My organization is trying to comply with the principal of least user
privileges, and toward that end I have been given the task of converting
all the users in my organization to standard user accounts. We've been
doing this using the Restricted Groups policy, and for the most part it
hasn't been a problem, but now I am working with our network technology
group and I've run into some issues.

The employees in our network technology group are the people who design
the network, install routers and switches, run all the cabling and install
network jacks, use protocol analyzers to monitor network traffic and
troubleshoot problems, etc. They maintain that they must be able to:

1) Use terminal services and FTP
2) Disable the firewall
3) Change NIC settings
4) Change IP address and subnet settings
5) Download and install drivers and networking tools

I'm sure the list goes on, but thus far they have not complied with my
request for a complete list of duties that may be impacted by the loss of
administrative rights. I've looked at making them all members of the
Network Configuration Operators group, and while that may solve some
issues it also looks like it will not solve every issue that I'll have
with these users. I've also taken a quick look at some tools that would
all specific applications to be run with a different set of credentials,
so maybe the employee would login as an administrator but specific "high
risk" applications would run with reduced rights, or maybe they'd login
with limited rights and specific applications would run with administrator
rights. But I kind of don't want to introduce a process like that if I
can avoid it.

I'd appreciate the advice of anyone who's had to deal with converting
these kinds of users to standard user accounts. Also, are there any group
policies, or software tools, that would allow these users to do the things
that they have a legitimate need to do in their daily jobs? Are there any
registry keys that I can give them rights to that would (presto chango)
allow them to modify any network setting on their local machine?

Any help that can be offered will be greatly appreciated!

--Tom



.

Relevant Pages

  • RE: Question regarding su.exe
    ... Many so called "administrator" applications do ... For instance, loading a driver should require admin rights, ... If you use su.exe to elevate the privilege ... Rather than using su or giving admin access, have you looked at what the app ...
    (Focus-Microsoft)
  • Administrator is not the "Boss" on this machine.
    ... both as a standone and when I'm at my office to network to ... my desktop (running win98se), which only I use. ... the rights, and nothing I can't change, and that seemed to ... ADMINISTRATOR. ...
    (microsoft.public.win2000.security)
  • RE: Active Directory
    ... It sounds to me like you may have issues with rights delegation. ... assign this new group administrator rights locally. ... Either the local security policy or the assignment of security ... need to deny logon locally and/or deny logon through the network. ...
    (Focus-Microsoft)
  • Re: Permissions (EVERYONE POST TO THIS)
    ... world and say that this is unacceptable practice for any userland ... And yes, developers need admin rights on their machines, but unless ... from the rest of your network be prepared to suffer the wrath and add ... > I am a Network administrator and would never consider this ...
    (microsoft.public.win2000.security)
  • Re: Userenv Event 1030 Problem - cannot edit GPO
    ... group that did already have "log on from network" rights. ... Logged back in as Administrator and now I can ... Eriq Neale - Small Business Specialist, MCSE, MCSA Messaging, Mac Guru EON Consulting - www.eonconsulting.net ...
    (microsoft.public.windows.server.sbs)