Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Peeling off desktop Administrator Rights

From: Mike Hanson <MHanson () CSS EDU>
Date: Fri, 4 Dec 2009 08:42:31 -0600
Todd,

This article explains how to drop user rights from applications. I have
been testing it and it works well. We are on Windows XP here. I created
a reg file from the instructions and we are going to roll this out to
our faculty and staff to drop browser user rights to help slowdown
browser malware infections. You should be able to use this to drop the
rights of any application.

It is not fool proof and there are some issues that the lack of Admin
user causes. It is however, one more layer of defense in the never
ending battle.

http://dougzuck.com/decrease-malware-infections-using-software-restriction-policies







Mike Hanson
Network Security Manager
The College of St. Scholastica
Duluth, MN 55811

(218)-723-7097
mhanson () css edu

"Plesco, Todd" <tplesco () CHAPMAN EDU> 12/3/2009 5:27 PM >>>

Does anyone know of a product/application (rather than the orthodox and
typical Active Directory method) which removes Microsoft "Administrator"
group rights from users to be replaced with "User" or "Power User" group
rights without impacting existing applications which were installed with
Administrator privilege?

One of our desktop managers is looking for the "easy" application based
method to do this without bringing in a full Active Directory GPO & OU
development project.  The end result being sought is that further
applications may not be installed by users but existing applications
will still function.

Todd A. Plesco  CISM, CBCP
Chapman University, Director of Information Security
One University Drive, Orange, CA 92866
Phone: (714) 744-7979/Fax: (714) 744-7041
Previous By Date Next
Previous By Thread Next

Current thread: