Re: Least User Priviledges for Network Administrators

Sorry for the delay in response. I've been out sick for the last few days.

While I understand the thrust of your comments, I also believe that one of
your assumptions is at least partially flawed. You stated that the users in
our Network Technology group are most likely, "people that you already
trust." Trust how? Do we trust them to maintain network equipment? Yes.
Do we trust them to observe proper security practices on the desktop, and to
NOT install unlicensed versions of software? No. In fact, improper desktop
security practices and the installation of unlicensed software occur within
our Network Technology group at a rate that is far beyond that of any other
group of users. It is fair to say that as a group they have a spotty record
when it comes to following enterprise desktop security standards and
policies, and they have run afoul of software licensing requirements.
Management is partly to blame for the situation because until now they have
done nothing to crack down on that kind of behavior. So, in a sense, we
don't trust them because they've proven that a certain level of distrust is

That being said, I do not believe that any of them would do anything
malicious, so in that respect we do trust them. The question then becomes,
how do we allow them to do their jobs with the least amount of disruption
and inconvenience, and still insure that desktop security standards are
enforced, and that they're not installing just any old software that they
download from the Internet?

Maybe with XP SP2, that balance just can't be achieved, and if that's the
case then I guess we'll have to live with that fact. At the same time, my
job is to try to find a way to institute the security standards of the
enterprise without crushing their ability to do their jobs. So, I need to
do my due diligence and try to find a creative solution. One example of a
creative solution is what we did with our Web programmers. Some of their
tools do require administrative rights, so we took those tools off the
desktop and moved them to a virtual server. The programmers have full
administrative rights within the virtual environment, but are only standard
users on the desktop. Maybe something similar would work for our Network
Technology group, and maybe not, but these are the kinds of solutions that I
need to consider.


"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
While implementing the principle of least privilege is a noble goal I
think you might be over doing it with that group of users. Most likely
they are all highly trained competent people very knowledgeable about
computers and people you already trust as they have access to very
sensitive areas of your network.

Consider the unintended consequences of trying to limit such a group which
could include reduced productivity, missing deadlines, bad for morale, and
they feeling untrusted and incompetent. Also being a local administrator
does not give a user any additional access to the domain assuming basic
best practices for securing the domain are being used..

I am all for PLUP for the average user that will try to install harmful
software on their computer which could even lead to a backdoor to your
network, disable Windows Updates because they read somewhere it would slow
their computer down, change settings they know nothing about, disable
malware protection because they can not access some stupid website,
creating shares so their buddy can access their computer, etc. All this
can greatly impact their productivity and increase IT costs cleaning up
the mess.

Having said that the ways you can increase a regular users access is so
modify access control lists [registry/NTFS], grant permissions to needed
services [can be done via Group Policy], add to privileged groups other
than administrators, and to grant user rights above what regular users
have [via Group Policy]. Unfortunately there are many tasks that simply
can not be granted to a regular user no matter what you try as usually
evidenced by object access failures in the security log when auditing of
object access is enabled. There is not set plan so you will have to do a
ton of trial and error footwork to see if you can accomplish what you want
but I am doubtful it can be done with the needs of your network technology
group. Training users that need administrator access to logon as a regular
user and then use runas when they need admin powers is a good practice. --
this may be of interest