Security Basics mailing list archives
RE: Removing Local Admin Rights...
From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 1 Jun 2004 09:41:19 -0700
MY preferred solution is to give developers two machines -- an old/small/slow one for browser/email/etc which is treated just like any other user's machine, and a development box on a sandbox network that they can trash to their heart's content, because IT won't fix it. Dave Gillett
-----Original Message----- From: Faisal Masood [mailto:faisyuet () wol net pk] Sent: Monday, May 31, 2004 1:43 PM To: simont () pop co za; 'Craig, Jason' Cc: security-basics () lists securityfocus com Subject: RE: Removing Local Admin Rights... I'm working in a development environment. My developers need to register application DLLs most often. They also want to do ASP debugging, SQL debugging, MTS debugging. For these requirements I've to give my users local admin access. But result is that we get at least a system every week for repair. What is the solution to this issue? Regards Faisal Masood -----Original Message----- From: Simon Taplin [mailto:simont () pop co za] Sent: Saturday, May 29, 2004 8:37 PM To: Craig, Jason Cc: security-basics () lists securityfocus com Subject: Re: Removing Local Admin Rights... Most of the Adobe products don't run properly unless the User is part of the Power User Groups or higher for whatever reason. I remember that InDesign 1.5 needed to install Japanese fonts if the user was part of the Users group. Simon Craig, Jason wrote:Jay, None of our users have admin rights. Most apps will runfine. We've runinto quirks with label printer software, and the usualproblems with Adobeapps but we've been able to make things run without anyproblems. Mostthings are well documented, and if they're not regmon andfilemon are yourfriends. We've been running this way for 3+ years and ithas made ourlives much easier. -j -----Original Message----- From: KEN MORRIS [mailto:KMORRIS () kpl org] Sent: Tuesday,May 25, 200412:42 PM To: Jay Lopez; security-basics () lists securityfocus com Subject: RE: Removing Local Admin Rights... Jay, First thing I would do would be to check to see if there isany non-M$programs installed that are needed in the organization. IFthere are,thoroughly test those programs under both O/S beforeremoving local adminrights. Some software will run only under local admin useraccounts. Ihave tried here and found that in certain programs there is no workaround other thanlocal admin to allow users to run the software. Evensetting them as powerusers does not work. Regards, Ken -----Original Message----- From: Jay Lopez [mailto:jlopez_si86 () hotmail com] Sent: Tuesday, May 25, 2004 9:48 AM To: security-basics () lists securityfocus com Subject: Removing Local Admin Rights... I currently work for an organization with approximately25,000 WindowsXP/2000 desktops in an Active Directory (AD) environment.Security from anOS and individual application component (i.e., Outlook2003, MS Office, IE,etc.) perspective is being managed via group policy objects (GPO's). Currently, we are pushing to remove local administratoraccess rights toindividual machines to prevent users from randomlyinstalling unapprovedapplications, prevent malware from being silently installedwithin thelocal administrator context, etc. Prior to our move to AD and GPO's, wereceivedpush-back on removing local admin rights for reasons suchas the logonscripts would not work, etc. By chance, have any of you implemented any of theabove--especially theremoval of local administrator rights? If so, what supportissues did youexperience? What impact did removing local admin rights have? I'd like to provide as many pros and cons back to our teambased on yourfeedback. Thanks in advance, Jay Lopez _________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/-------------------------------------------------------------- -------------Ethical Hacking at the InfoSec Institute. Mention this adand get $545 offany course! All of our class sizes are guaranteed to be 10students or lessto facilitate one-on-one interaction with one of our expertinstructors.Attend a course taught by an expert instructor with yearsof in-the-fieldpen testing experience in our state of the art hacking lab.Master theskills of an Ethical Hacker to better assess the security of yourorganization.Visit us at:http://www.infosecinstitute.com/courses/ethical_hacking_training.html-------------------------------------------------------------- ---------------------------------------------------------------------------- -------------Ethical Hacking at the InfoSec Institute. Mention this adand get $545 offany course! All of our class sizes are guaranteed to be 10students or lessto facilitate one-on-one interaction with one of our expertinstructors.Attend a course taught by an expert instructor with yearsof in-the-fieldpen testing experience in our state of the art hacking lab.Master theskills of an Ethical Hacker to better assess the security of your organization. Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
--- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.550 / Virus Database: 342 - Release Date: 2003/12/09
--------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- RE: Removing Local Admin Rights... Faisal Masood (Jun 01)
- RE: Removing Local Admin Rights... David Gillett (Jun 02)
- <Possible follow-ups>
- RE: Removing Local Admin Rights... Craig, Jason (Jun 01)
- RE: Removing Local Admin Rights... Craig, Jason (Jun 01)