Security Basics mailing list archives

Re: Using Admin Privileges while surfing the Internet

From: Jeffrey Walton <noloader () gmail com>
Date: Mon, 25 May 2009 17:33:58 -0400

Hi Michael,

 Does anyone know a published benchmark / standard
 that will help me decide (and argue) - is it ok using admin
 while surfing the internet.

I've found a handful of arguments for this practice, though I oppose
it. Leave users as users (principle of least privilege). There are
enough bad programs trying to escalate privileges - there's no need to
do their work for them.

Part of the problem is that Webmasters, who love [crap?] like Flash,
VBScript, JavaScript, and other binary junk such as ActiveX, don't
realize/understand/care about security from an organizations
perspective. So an organization will allow a user to become local
admin so that they can cruise the web (i.e., install Flash on the fly,
install an ActiveX control on the fly, etc).

The other 'handful of arguments' include things such as: in the
pre-Vista days, a laptop user needed local admin to change the time
zone during travel.

I believe you will find others recommend against the practice. For
example, in the Federal arena, NIST 800-68 (Guide to Securing
Microsoft Windows XP Systems for IT Professionals) does not recommend
the practice. See, for example, Section 2.3.1.2 or 2.3.1.3.

Jeff

On 5/25/09, Menny.b () gmail com <Menny.b () gmail com> wrote:

Hello,

 I've recently reviewed the network settings of a small-medium business (about 70 workstations running XP Sp3).

 I've found that the internal network is connected to the internet thought a firewall, and all of the users have 
(local) administrative privileges on their workstation.

 Does anyone know a published benchmark / standard that will help me decide (and argue) - is it ok using admin while 
surfing the internet.

 Thanks,
 Michael.


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------

Current thread:

Using Admin Privileges while surfing the Internet Menny . b (May 25)
- Re: Using Admin Privileges while surfing the Internet Jeffrey Walton (May 26)
- Re: Using Admin Privileges while surfing the Internet Stephen Mullins (May 26)
- <Possible follow-ups>
- Re: Using Admin Privileges while surfing the Internet kartik . netsec (May 26)
- Re: Using Admin Privileges while surfing the Internet kartik . netsec (May 26)
- Re: Using Admin Privileges while surfing the Internet kartik . netsec (May 26)
- Re: Using Admin Privileges while surfing the Internet kartik . netsec (May 26)