Re: Peeling off desktop Administrator Rights

[Eric Case <ecase () EMAIL ARIZONA EDU>]

True, there is no "Power Users" group in Win 7.  If someone is a power user
that can make themselves an admin.
-Eric


Eric Case, CISSP
eric (at) ericcase (dot) com
http://www.linkedin.com/in/ericcase


> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dave Kovarik
> Sent: Monday, December 07, 2009 10:19 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Peeling off desktop Administrator Rights
>
> Randy has legit concerns, some of which we addressed at a corporation I
> worked at previously.
> In addition to training, we removed Admin from most users and replaced
> that with
> a connection to Power User group which provided a fair amount of
> privilege without
> "giving away the store".  There were some exceptions but most (legit)
> software programs could be
> installed (at least that used to be the case - I've not tried this
> recently).  Note: this was a Win XP
> environment - I thought I read that the Power Users group was no longer
> available under Win 7.
> I've also not tried this in the university environment.
> - Dave
> Dave Kovarik
> NUIT-ISS/C
> 847-467-5930
>
>
> randy marchany wrote:
> > I presume the primary reason for preventing local users from having
> > admin rights on their desktops is to keep them from installing "evil"
> > software.
> >
> > If this is so, then my question to the group is "how long does it
> take
> > a desktop user to get a "legitimate" piece of software installed on
> > their desktop? In other words, I have to use software package "A" to
> > do my job. How long does it take for "A" to be installed on my
> > desktop? My informal straw poll respondents noted the time range to
> be
> > anywhere from 1 day to 2 weeks.This is completely shocking to me.
> > Now, if my boss is breathing down my neck to finish a project by
> > tomorrow & I need software "A" to finish the project, I can't wait 1-
> 7
> > days. The business process will trump this security process and a) I
> > go up the mgt chain to get an exception b) I bring in my personal
> > computer, load software "A" on it and get the job done.
> >
> > So, I wonder why there has never been a survey with the question "How
> > long does it take to install a software package on a user desktop if
> > you restrict local admin rights?". This is the root cause of the
> > "never ending battle" that I keep hearing about. If you make the user
> > responsible for whatever they load on their machine AND enforce that,
> > then what is the danger of letting them do so? Well, people with no
> > local admin privs can still "infect" a machine by using their browser
> > so once again, what do we accomplish by "preventing" them from
> loading
> > software? Seems like nothing is accomplished, hence, the "never
> > ending" battle.
> >
> > Call me silly, but I think there is an end to this battle but we
> don't
> > want to put in the effort to accomplish this. That end involves a)
> > enforcing user responsibility for their actions b) give them basic
> > training (you want to be able to install stuff, you have to sit in
> > this training) c) speed up legit software install requests.
> >
> > I keep hearing about this losing battle with the users so why not
> > think of something radically different?
> >
> > Just a thought for the holidays....
> >
> > Randy Marchany
> > VA Tech IT Security Office