Re: Least User Priviledges for Network Administrators

Looks like I may have over estimated that group. As you mention it sounds
like a big part of the problem has been management so if you have the ears
of the powers that be it would be good to institute computer use policy that
defines specific can and can not with spelled out disciplinary action
possibilities but to be effective the policy needs to be enforced. Such
computer use policies are as essential as computer technical policies.

Again it still may be from very difficult to impossible to have users in
that group not be local administrators due to the nature of their work. An
additional item I want to mention is to look into the user of Software
Restriction Policies to manage what they can run and install on their
computers. Maybe you could have the better disciplined users not that locked
down so that they could try new tools and software that could then be
approved for the rest of the users. Software Restriction Policies can be
enforced for local administrators also BUT local administrators are exempt
from Software Restriction policies while in Safe Mode but the user most
likely would not know that.

Steve


"Thomas M." <NoEmailReplies@xxxxxxxxxx> wrote in message
news:%23KyzyGmFIHA.2004@xxxxxxxxxxxxxxxxxxxxxxx
Sorry for the delay in response. I've been out sick for the last few
days.

While I understand the thrust of your comments, I also believe that one of
your assumptions is at least partially flawed. You stated that the users
in our Network Technology group are most likely, "people that you already
trust." Trust how? Do we trust them to maintain network equipment? Yes.
Do we trust them to observe proper security practices on the desktop, and
to NOT install unlicensed versions of software? No. In fact, improper
desktop security practices and the installation of unlicensed software
occur within our Network Technology group at a rate that is far beyond
that of any other group of users. It is fair to say that as a group they
have a spotty record when it comes to following enterprise desktop
security standards and policies, and they have run afoul of software
licensing requirements. Management is partly to blame for the situation
because until now they have done nothing to crack down on that kind of
behavior. So, in a sense, we don't trust them because they've proven that
a certain level of distrust is appropriate.

That being said, I do not believe that any of them would do anything
malicious, so in that respect we do trust them. The question then
becomes, how do we allow them to do their jobs with the least amount of
disruption and inconvenience, and still insure that desktop security
standards are enforced, and that they're not installing just any old
software that they download from the Internet?

Maybe with XP SP2, that balance just can't be achieved, and if that's the
case then I guess we'll have to live with that fact. At the same time, my
job is to try to find a way to institute the security standards of the
enterprise without crushing their ability to do their jobs. So, I need to
do my due diligence and try to find a creative solution. One example of a
creative solution is what we did with our Web programmers. Some of their
tools do require administrative rights, so we took those tools off the
desktop and moved them to a virtual server. The programmers have full
administrative rights within the virtual environment, but are only
standard users on the desktop. Maybe something similar would work for our
Network Technology group, and maybe not, but these are the kinds of
solutions that I need to consider.

--Tom

"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23sjYY5fEIHA.5044@xxxxxxxxxxxxxxxxxxxxxxx
While implementing the principle of least privilege is a noble goal I
think you might be over doing it with that group of users. Most likely
they are all highly trained competent people very knowledgeable about
computers and people you already trust as they have access to very
sensitive areas of your network.

Consider the unintended consequences of trying to limit such a group
which could include reduced productivity, missing deadlines, bad for
morale, and they feeling untrusted and incompetent. Also being a local
administrator does not give a user any additional access to the domain
assuming basic best practices for securing the domain are being used..

I am all for PLUP for the average user that will try to install harmful
software on their computer which could even lead to a backdoor to your
network, disable Windows Updates because they read somewhere it would
slow their computer down, change settings they know nothing about,
disable malware protection because they can not access some stupid
website, creating shares so their buddy can access their computer, etc.
All this can greatly impact their productivity and increase IT costs
cleaning up the mess.

Having said that the ways you can increase a regular users access is so
modify access control lists [registry/NTFS], grant permissions to needed
services [can be done via Group Policy], add to privileged groups other
than administrators, and to grant user rights above what regular users
have [via Group Policy]. Unfortunately there are many tasks that simply
can not be granted to a regular user no matter what you try as usually
evidenced by object access failures in the security log when auditing of
object access is enabled. There is not set plan so you will have to do a
ton of trial and error footwork to see if you can accomplish what you
want but I am doubtful it can be done with the needs of your network
technology group. Training users that need administrator access to logon
as a regular user and then use runas when they need admin powers is a
good practice.

http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx --
this may be of interest




.

Relevant Pages

  • SUMMARY WAS: OT? Philosophical Question on SA responsibilities
    ... helpful for managers interested in hiring new administrators. ... Would you go thru the 14,600 messages in root and admin ... If I was a new SA I would if encountering a security hole, ... I can see some use for the passwd -s part of the crontab script, ...
    (SunManagers)
  • RE: Forest Trust Problem - SID Conflict (Yet another crisis)
    ... We have a one way trust between PP and Corp (PP ... Prod\Admins group is a member of the Local Administrators ... group of a member server. ... > SID to be duplicated when generating the new domain via dcpromo. ...
    (microsoft.public.windows.server.active_directory)
  • RE: software to control domain administrators
    ... "Does anyone know any software to control, audit, or restrict access or privileges to domain administrators." ... I will restate my mantra differently, If you can not trust someone to be in a position of complete un-adulterated control of your network, then they should not be in that position. ... >(assuming we are talking about NT/AD Domain Admins) ...
    (Security-Basics)
  • Re: Weird security problem in my WIn2K domain
    ... Keep in mind that enterprise admins group has no administrative powers on ... Another thing to try is to create a new account ... add that account to the local administrators ... enable auditing of account logon events in Domain Controller Security Policy ...
    (microsoft.public.windows.server.security)
  • RE: IDS and Spywares
    ... Right said Omar, thats why security companies are ... may be hIDS running or probably with NIDS ... Network administrators with least administrative ...
    (Focus-IDS)