RE: Removing Local Admin Rights...

["David Gillett" <gillettdavid () fhda edu>]

  MY preferred solution is to give developers two machines --
an old/small/slow one for browser/email/etc which is treated
just like any other user's machine, and a development box on
a sandbox network that they can trash to their heart's content,
because IT won't fix it.

Dave Gillett


> -----Original Message-----
> From: Faisal Masood [mailto:faisyuet () wol net pk]
> Sent: Monday, May 31, 2004 1:43 PM
> To: simont () pop co za; 'Craig, Jason'
> Cc: security-basics () lists securityfocus com
> Subject: RE: Removing Local Admin Rights...
>
>
> I'm working in a development environment. My developers need
> to register
> application DLLs most often. They also want to do ASP debugging, SQL
> debugging, MTS debugging.
>
> For these requirements I've to give my users local admin
> access. But result
> is that we get at least a system every week for repair.
>
> What is the solution to this issue?
>
> Regards
> Faisal Masood
>
>
>
> -----Original Message-----
> From: Simon Taplin [mailto:simont () pop co za]
> Sent: Saturday, May 29, 2004 8:37 PM
> To: Craig, Jason
> Cc: security-basics () lists securityfocus com
> Subject: Re: Removing Local Admin Rights...
>
> Most of the Adobe products don't run properly unless the User
> is part of
> the Power User Groups or higher for whatever reason. I remember that
> InDesign 1.5 needed to install Japanese fonts if the user was part of
> the Users group.
>
> Simon
>
> Craig, Jason wrote:
>
> > Jay,
> >
> > None of our users have admin rights.  Most apps will run
> fine.  We've run
> > into quirks with label printer software, and the usual
> problems with Adobe
> > apps but we've been able to make things run without any
> problems.  Most
> > things are well documented, and if they're not regmon and
> filemon are your
> > friends.  We've been running this way for 3+ years and it
> has made our
> > lives
> > much easier.
> >
> > -j
> > -----Original Message-----
> > From: KEN MORRIS [mailto:KMORRIS () kpl org] Sent: Tuesday,
> May 25, 2004
> > 12:42 PM
> > To: Jay Lopez; security-basics () lists securityfocus com
> > Subject: RE: Removing Local Admin Rights...
> >
> > Jay,
> > First thing I would do would be to check to see if there is
> any non-M$
> > programs installed that are needed in the organization. IF
> there are,
> > thoroughly test those programs under both O/S before
> removing local admin
> > rights. Some software will run only under local admin user
> accounts. I
> > have tried
> > here and found that in certain programs there is no work
> around other than
> > local admin to allow users to run the software. Even
> setting them as power
> > users does not work.
> > Regards,
> > Ken
> >
> > -----Original Message-----
> > From: Jay Lopez [mailto:jlopez_si86 () hotmail com]
> > Sent: Tuesday, May 25, 2004 9:48 AM
> > To: security-basics () lists securityfocus com
> > Subject: Removing Local Admin Rights...
> >
> > I currently work for an organization with approximately
> 25,000 Windows
> > XP/2000 desktops in an Active Directory (AD) environment.
> Security from
> an
> > OS and individual application component (i.e., Outlook
> 2003, MS Office,
> IE,
> > etc.) perspective is being managed via group policy objects (GPO's).
> >
> > Currently, we are pushing to remove local administrator
> access rights to
> > individual machines to prevent users from randomly
> installing unapproved
> > applications, prevent malware from being silently installed
> within the
> > local
> > administrator context, etc.  Prior to our move to AD and GPO's, we
> received
> > push-back on removing local admin rights for reasons such
> as the logon
> > scripts would not work, etc.
> >
> > By chance, have any of you implemented any of the
> above--especially the
> > removal of local administrator rights?  If so, what support
> issues did you
> > experience?  What impact did removing local admin rights have?
> >
> > I'd like to provide as many pros and cons back to our team
> based on your
> > feedback.
> >
> > Thanks in advance,
> >
> > Jay Lopez
> >
> > _________________________________________________________________
> > FREE pop-up blocking with the new MSN Toolbar - get it now!
> > http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
> --------------------------------------------------------------
> -------------
> > Ethical Hacking at the InfoSec Institute. Mention this ad
> and get $545 off
> > any course! All of our class sizes are guaranteed to be 10
> students or
> less
> > to facilitate one-on-one interaction with one of our expert
> instructors.
> > Attend a course taught by an expert instructor with years
> of in-the-field
> > pen testing experience in our state of the art hacking lab.
> Master the
> > skills
> >
> > of an Ethical Hacker to better assess the security of your
> organization.
> > Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> >
> --------------------------------------------------------------
> --------------
>
> >
> --------------------------------------------------------------
> -------------
> > Ethical Hacking at the InfoSec Institute. Mention this ad
> and get $545 off
> > any course! All of our class sizes are guaranteed to be 10
> students or
> less
> > to facilitate one-on-one interaction with one of our expert
> instructors.
> > Attend a course taught by an expert instructor with years
> of in-the-field
> > pen testing experience in our state of the art hacking lab.
> Master the
> > skills of an Ethical Hacker to better assess the security of your
> > organization. Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>
----------------------------------------------------------------------------

>
---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
> off any course! All of our class sizes are guaranteed to be 10 students
> or less to facilitate one-on-one interaction with one of our expert
> instructors. Attend a course taught by an expert instructor with years
> of in-the-field pen testing experience in our state of the art hacking
> lab. Master the skills of an Ethical Hacker to better assess the
> security of your organization. Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.550 / Virus Database: 342 - Release Date: 2003/12/09


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------