Security Basics mailing list archives
Re: Using Admin Privileges while surfing the Internet
From: Jeffrey Walton <noloader () gmail com>
Date: Mon, 25 May 2009 17:33:58 -0400
Hi Michael,
Does anyone know a published benchmark / standard that will help me decide (and argue) - is it ok using admin while surfing the internet.
I've found a handful of arguments for this practice, though I oppose it. Leave users as users (principle of least privilege). There are enough bad programs trying to escalate privileges - there's no need to do their work for them. Part of the problem is that Webmasters, who love [crap?] like Flash, VBScript, JavaScript, and other binary junk such as ActiveX, don't realize/understand/care about security from an organizations perspective. So an organization will allow a user to become local admin so that they can cruise the web (i.e., install Flash on the fly, install an ActiveX control on the fly, etc). The other 'handful of arguments' include things such as: in the pre-Vista days, a laptop user needed local admin to change the time zone during travel. I believe you will find others recommend against the practice. For example, in the Federal arena, NIST 800-68 (Guide to Securing Microsoft Windows XP Systems for IT Professionals) does not recommend the practice. See, for example, Section 2.3.1.2 or 2.3.1.3. Jeff On 5/25/09, Menny.b () gmail com <Menny.b () gmail com> wrote:
Hello, I've recently reviewed the network settings of a small-medium business (about 70 workstations running XP Sp3). I've found that the internal network is connected to the internet thought a firewall, and all of the users have (local) administrative privileges on their workstation. Does anyone know a published benchmark / standard that will help me decide (and argue) - is it ok using admin while surfing the internet. Thanks, Michael.
------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- Using Admin Privileges while surfing the Internet Menny . b (May 25)
- Re: Using Admin Privileges while surfing the Internet Jeffrey Walton (May 26)
- Re: Using Admin Privileges while surfing the Internet Stephen Mullins (May 26)
- <Possible follow-ups>
- Re: Using Admin Privileges while surfing the Internet kartik . netsec (May 26)
- Re: Using Admin Privileges while surfing the Internet kartik . netsec (May 26)
- Re: Using Admin Privileges while surfing the Internet kartik . netsec (May 26)
- Re: Using Admin Privileges while surfing the Internet kartik . netsec (May 26)