Re: Windows Local Administrative Privilges

["Julian Y. Koh" <kohster () NORTHWESTERN EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 10:37 -0400 04/09/2006, Harold Winshel wrote:
> Let me reframe the question:  but, rather, are you better off with a
> general policy where most users either can or cannot have admin
> access.

I think most places are better off with not allowing Admin by default.

> My experience is that a lot of users, if not most, want the
> admin access.

That's partly a legacy of the fact that many Windows apps still require Admin
access even to run.

> I would probably lean toward a policy where, by
> default, the user does not have the admin and you then allow it on a
> case basis (hopefully very few cases).

I think just about all of us would agree that's a good place to start from a
security perspective.  Being able to actually implement it depends a lot on
the environment.  For example, how decentralized is your support
infrastructure?  Do some departments/schools not even have local support
available?  Who's going to be in charge of handling the actual Administrator
accounts and passwords?  Do you need to set up actual domain controllers and
force everyone to log into the domain?  etc etc etc


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.5 (Build 5050)
Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html>

iQA/AwUBRDke5g5UB5zJHgFjEQKAbQCgqp+fvoEYPW9ossgQQ0g4yjRqqHcAni18
nH4+boRgJ7T3Ruo8vEqbWK31
=JUET
-----END PGP SIGNATURE-----

--
Julian Y. Koh                         <mailto:kohster () northwestern edu>
Network Engineer                                   <phone:847-467-5780>
Telecommunications and Network Services         Northwestern University
PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html>