Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Removing Local Admin Rights...

From: "Daszczyszak, Roman L. SPC (1AD 501 MI BN ACE IMO)" <roman.daszczyszak () 1ADTACM 1AD ARMY MIL>
Date: Fri, 28 May 2004 09:42:16 +0400
If you're referring to removing a user from the local Administrators group,
by all means go for it.  Check out the software suite they're using (or are
supposed to be using) and make sure each program will run in a regular user
account.  Most will unless badly written or requiring some special support.

When I took over my current sysadmin job, the first thing I did was to clean
up after the prior admin who allowed everyone to have admin rights on their
machines.  There were some growing pains, but for the most part it works.
For those special cases where the user believes they need admin rights, I
have them submit the request in writing.. then I check to see if their
request is valid.  Only then will I authorize local admin rights.


-----Original Message-----
From: Jay Lopez [mailto:jlopez_si86 () hotmail com] 
Sent: Tuesday, May 25, 2004 9:48 AM
To: security-basics () lists securityfocus com
Subject: Removing Local Admin Rights...

I currently work for an organization with approximately 
25,000 Windows 
XP/2000 desktops in an Active Directory (AD) environment.  
Security from an 
OS and individual application component (i.e., Outlook 2003, 
MS Office, IE, 
etc.) perspective is being managed via group policy objects (GPO's).

Currently, we are pushing to remove local administrator 
access rights to 
individual machines to prevent users from randomly installing 
unapproved 
applications, prevent malware from being silently installed 
within the local 
administrator context, etc.  Prior to our move to AD and 
GPO's, we received 
push-back on removing local admin rights for reasons such as 
the logon 
scripts would not work, etc.

By chance, have any of you implemented any of the 
above--especially the 
removal of local administrator rights?  If so, what support 
issues did you 
experience?  What impact did removing local admin rights have?

I'd like to provide as many pros and cons back to our team 
based on your 
feedback.

Thanks in advance,

Jay Lopez

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar - get it now! 
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/


--------------------------------------------------------------
-------------
Ethical Hacking at the InfoSec Institute. Mention this ad and 
get $545 off 
any course! All of our class sizes are guaranteed to be 10 
students or less 
to facilitate one-on-one interaction with one of our expert 
instructors. 
Attend a course taught by an expert instructor with years of 
in-the-field 
pen testing experience in our state of the art hacking lab. 
Master the skills

of an Ethical Hacker to better assess the security of your 
organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
--------------------------------------------------------------
--------------






---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: