Re: Local Admin Accounts

[John Hoffoss <john.hoffoss () CSU MNSCU EDU>]

On Sep 16, 2009, at 2:05 PM, Steven Alexander wrote:
> You can make the local administrator account less of a security risk  
> by preventing it from being used over the network by adding it to  
> Local Policies\User Rights Assignments->”Deny access to this  
> computer from the network” and Local Policies\User Rights  
> Assignments->”Deny logon through Terminal Services”.

For that matter, you can deny the user's Admin account local logon  
rights as well, forcing them to use the "run-as" capability within  
Win2k and newer(1). This didn't work right with some things like  
modifying network configurations, and some applications like AutoCAD  
still wouldn't behave unless the user was a Local Administrator, but  
it's great for the majority of end-users that actually have reason for  
local admin privs.

I have only played a little with Windows 7 and less with Vista, but it  
looks like this functionality works even better in Windows 7 than it  
did in XP. (2)

(1) http://support.microsoft.com/kb/294676
(2) http://technet.microsoft.com/en-us/magazine/2009.07.uac.aspx?rss_fdn=TNTopNewInfo

-jth

--
John T. Hoffoss, CISSP, GCIH   --   Information Security Specialist

E: john.hoffoss () csu mnscu edu  --  O: +1.651.201.1453  --  M:  
+1.612.867.1432

Minnesota State Colleges and Universities   --   Information Security  
Office
30 7th Street East, Suite 350
St. Paul, MN 55101-7804
USA