Educause Security Discussion mailing list archives
Re: Local Admin Accounts
From: John Hoffoss <john.hoffoss () CSU MNSCU EDU>
Date: Wed, 16 Sep 2009 16:23:35 -0500
On Sep 16, 2009, at 2:05 PM, Steven Alexander wrote:
You can make the local administrator account less of a security risk by preventing it from being used over the network by adding it to Local Policies\User Rights Assignments->”Deny access to this computer from the network” and Local Policies\User Rights Assignments->”Deny logon through Terminal Services”.
For that matter, you can deny the user's Admin account local logon rights as well, forcing them to use the "run-as" capability within Win2k and newer(1). This didn't work right with some things like modifying network configurations, and some applications like AutoCAD still wouldn't behave unless the user was a Local Administrator, but it's great for the majority of end-users that actually have reason for local admin privs.
I have only played a little with Windows 7 and less with Vista, but it looks like this functionality works even better in Windows 7 than it did in XP. (2)
(1) http://support.microsoft.com/kb/294676 (2) http://technet.microsoft.com/en-us/magazine/2009.07.uac.aspx?rss_fdn=TNTopNewInfo -jth -- John T. Hoffoss, CISSP, GCIH -- Information Security SpecialistE: john.hoffoss () csu mnscu edu -- O: +1.651.201.1453 -- M: +1.612.867.1432
Minnesota State Colleges and Universities -- Information Security Office
30 7th Street East, Suite 350 St. Paul, MN 55101-7804 USA
Current thread:
- Re: Local Admin Accounts, (continued)
- Re: Local Admin Accounts Smith, Bob (Sep 16)
- Re: Local Admin Accounts Gary Flynn (Sep 16)
- Re: Local Admin Accounts Manuel Amaral (Sep 16)
- Re: Local Admin Accounts Stanclift, Michael (Sep 16)
- Re: Local Admin Accounts Sweeny, Jonny (Sep 16)
- Re: Local Admin Accounts Guy Pace (Sep 16)
- Re: Local Admin Accounts David Gillett (Sep 16)
- Re: Local Admin Accounts Guy Pace (Sep 16)
- Re: Local Admin Accounts Gary Flynn (Sep 16)
- Re: Local Admin Accounts King, Ronald A. (Sep 16)
- Re: Local Admin Accounts John Hoffoss (Sep 16)
- Re: Local Admin Accounts Strzelec, Wally (Sep 16)
- Re: Local Admin Accounts Stanclift, Michael (Sep 16)
- Re: Local Admin Accounts Eric Case (Sep 17)