Re: User Privilege Levels.

[John Hoffoss <John.Hoffoss () CSU MNSCU EDU>]

> > > On Mon, Feb 23, 2009 at 11:43 AM, <themba.flowers () YALE EDU> wrote: 

> However after explaining to users why running a machine with Admin is  
> generally a bad idea (indeed, I don't run as Admin on my own box), I  
> will inform of them of a machine(Non-AD) account that exists for  
> admin, installs, etc "only." This machine account is a logged account  
> which can be revoked as necessary.  This has worked well.  In the  
> event that there is a program which needs admin to run on a regular  
> basis - I can wade in with FileMon and RegMon as necessary. More often  
> than not, the workarounds for any given SW title are already known and  
> don't take a lot of resources to fix.

The thing that makes me nervous is the potential for weak credentials on that admin account. You're in a good spot 
compared to some of my institutions though, in that those accounts are one-off, and presumably have unique passwords 
for each of those accounts.

> I find that after the WARNING spiel, users are usually happy to have  
> access to an admin account even though in practice it is rarely  
> required. On the other hand, there is always that one user who uses  
> the admin account constantly and/or is a pain about having to switch  
> accounts.  Since they tend to be more advanced users anyway, I'll give  
> them full admin with the caveat that they'll get little to no support.

Have you explored if it would be sufficient to make that local administrative user non-interactive, letting your 
desktop user utilize the "run-as" functionality when running a software package or installer?

Cheers,

-jth


--
John T. Hoffoss, CISSP, GCIH
Information Security Specialist

Email: john.hoffoss () csu mnscu edu
Office: +1.651.201.1453
Mobile: +1.612.867.1432

Minnesota State Colleges and Universities
Information Security Office
30 7th Street East, Suite 350
St. Paul, MN 55101-7804
USA