Re: Peeling off desktop Administrator Rights

[Kevin Shalla <kshalla () UIC EDU>]

Although I haven't tried it, I saw a very 
interesting demonstration by BeyondTrust of their 
product Privilege Manager whereby the user gets 
user rights to everything except the applications 
the Active Directory administrator identifies as 
requiring administrator rights.  So it's the 
opposite of the dougzuck plan.  If I get some 
time I'll probably work on getting it.

At 10:39 AM 12/5/2009, Michael Stanclift wrote:
> Politics
>
> Michael Stanclift
> Network Analyst
> Rockhurst University
>
> http://help.rockhurst.edu
> (816) 501-4231
>
> PThink before you print!
> ________________________________________
> From: The EDUCAUSE Security Constituent Group 
> Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On 
> Behalf Of Eric Case [ecase () EMAIL ARIZONA EDU]
> Sent: Friday, December 04, 2009 10:57 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Peeling off desktop Administrator Rights
>
> Why not just make users, users and remove admin 
> rights altogether?  There are very few programs 
> anymore anymore that require admin right to 
> run.  The only two I can think of off the top of 
> my head are Meeting Maker (it caches the 
> calendars in its folder) and old installs of 
> Eudora (where the mail is stored in the Eduora folder).
> -Eric
>
>
>
> Eric Case, CISSP
> eric (at) ericcase (dot) com
> http://www.linkedin.com/in/ericcase
>
>
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Stanclift, Michael
> > Sent: Friday, December 04, 2009 9:20 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Peeling off desktop Administrator Rights
> >
> > Another interesting option I saw, that I don't think it documented in
> > the linked guide, is you can allow local administrators to bypass the
> > rules, which is helpful in our situation where the  users are Power
> > Users but our technicians may find the restrictions we'd place on them
> > limiting. (Not being able to run Windows Updates from IE or install
> > programs through ActiveX, etc)
> >
> > Under Computer Configuration > Policies > Windows Settings > Software
> > Restriction Policies > Enforcement ... change to "All users except
> > local administrators"
> >
> > Michael Stanclift
> > Network Analyst
> > Rockhurst University
> >
> > http://help.rockhurst.edu
> > (816) 501-4231
> >
> > Help keep our campus green, think before you print!
> > RUCS will never ask you for your password!
> >
> >
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tupker, Mike
> > Sent: Friday, December 04, 2009 10:03 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Peeling off desktop Administrator Rights
> >
> > This is very intriguing. I imagine that this would also limit active
> > installs in IE the way a standard user would be limited.
> >
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Hanson
> > Sent: Friday, December 04, 2009 8:43 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Peeling off desktop Administrator Rights
> >
> > Todd,
> >
> > This article explains how to drop user rights from applications. I have
> > been testing it and it works well. We are on Windows XP here. I created
> > a reg file from the instructions and we are going to roll this out to
> > our faculty and staff to drop browser user rights to help slowdown
> > browser malware infections. You should be able to use this to drop the
> > rights of any application.
> >
> > It is not fool proof and there are some issues that the lack of Admin
> > user causes. It is however, one more layer of defense in the never
> > ending battle.
> >
> > http://dougzuck.com/decrease-malware-infections-using-software-
> > restriction-policies
> >
> >
> >
> >
> >
> >
> >
> > Mike Hanson
> > Network Security Manager
> > The College of St. Scholastica
> > Duluth, MN 55811
> >
> > (218)-723-7097
> > mhanson () css edu
> > >>> "Plesco, Todd" <tplesco () CHAPMAN EDU> 12/3/2009 5:27 PM >>>
> > Does anyone know of a product/application (rather than the orthodox and
> > typical Active Directory method) which removes Microsoft
> > "Administrator"
> > group rights from users to be replaced with "User" or "Power User"
> > group rights without impacting existing applications which were
> > installed with Administrator privilege?
> >
> > One of our desktop managers is looking for the "easy" application based
> > method to do this without bringing in a full Active Directory GPO & OU
> > development project.  The end result being sought is that further
> > applications may not be installed by users but existing applications
> > will still function.
> >
> > Todd A. Plesco  CISM, CBCP
> > Chapman University, Director of Information Security One University
> > Drive, Orange, CA 92866
> > Phone: (714) 744-7979/Fax: (714) 744-7041