Educause Security Discussion mailing list archives

Re: Peeling off desktop Administrator Rights

From: "Stanclift, Michael" <michael.stanclift () ROCKHURST EDU>
Date: Mon, 7 Dec 2009 09:24:29 -0600

Has anyone else seen this lock Windows 7 users out of IE completely? 

Michael Stanclift
Network Analyst
Rockhurst University

http://help.rockhurst.edu
(816) 501-4231

Help keep our campus green, think before you print!
RUCS will never ask you for your password!


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Plesco, 
Todd
Sent: Friday, December 04, 2009 6:57 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Peeling off desktop Administrator Rights

Thank you for the responses!

I've forwarded the article
http://dougzuck.com/decrease-malware-infections-using-software-restriction-policies
to our desktop team to review.

Good stuff.

Todd A. Plesco  CISM, CBCP
Chapman University, Director of Information Security One University Drive, Orange, CA 92866
Phone: (714) 744-7979/Fax: (714) 744-7041


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Stanclift, Michael
Sent: Friday, December 04, 2009 8:20 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Peeling off desktop Administrator Rights

Another interesting option I saw, that I don't think it documented in the linked guide, is you can allow local 
administrators to bypass the rules, which is helpful in our situation where the  users are Power Users but our 
technicians may find the restrictions we'd place on them limiting. (Not being able to run Windows Updates from IE or 
install programs through ActiveX, etc)

Under Computer Configuration > Policies > Windows Settings > Software Restriction Policies > Enforcement ... change to 
"All users except local administrators"

Michael Stanclift
Network Analyst
Rockhurst University

http://help.rockhurst.edu
(816) 501-4231

PHelp keep our campus green, think before you print!
ÏRUCS will never ask you for your password!


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tupker, 
Mike
Sent: Friday, December 04, 2009 10:03 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Peeling off desktop Administrator Rights

This is very intriguing. I imagine that this would also limit active installs in IE the way a standard user would be 
limited.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike 
Hanson
Sent: Friday, December 04, 2009 8:43 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Peeling off desktop Administrator Rights

Todd,

This article explains how to drop user rights from applications. I have been testing it and it works well. We are on 
Windows XP here. I created a reg file from the instructions and we are going to roll this out to our faculty and staff 
to drop browser user rights to help slowdown browser malware infections. You should be able to use this to drop the 
rights of any application.

It is not fool proof and there are some issues that the lack of Admin user causes. It is however, one more layer of 
defense in the never ending battle.

http://dougzuck.com/decrease-malware-infections-using-software-restriction-policies







Mike Hanson
Network Security Manager
The College of St. Scholastica
Duluth, MN 55811
 
(218)-723-7097
mhanson () css edu

"Plesco, Todd" <tplesco () CHAPMAN EDU> 12/3/2009 5:27 PM >>>

Does anyone know of a product/application (rather than the orthodox and typical Active Directory method) which removes 
Microsoft "Administrator"
group rights from users to be replaced with "User" or "Power User" group rights without impacting existing applications 
which were installed with Administrator privilege?

One of our desktop managers is looking for the "easy" application based method to do this without bringing in a full 
Active Directory GPO & OU development project.  The end result being sought is that further applications may not be 
installed by users but existing applications will still function.

Todd A. Plesco  CISM, CBCP
Chapman University, Director of Information Security One University Drive, Orange, CA 92866
Phone: (714) 744-7979/Fax: (714) 744-7041

Current thread:

Peeling off desktop Administrator Rights Plesco, Todd (Dec 03)
- <Possible follow-ups>
- Re: Peeling off desktop Administrator Rights Mike Hanson (Dec 04)
- Re: Peeling off desktop Administrator Rights Stanclift, Michael (Dec 04)
- Re: Peeling off desktop Administrator Rights Tupker, Mike (Dec 04)
- Re: Peeling off desktop Administrator Rights Stanclift, Michael (Dec 04)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 04)
- Re: Peeling off desktop Administrator Rights Plesco, Todd (Dec 04)
- Re: Peeling off desktop Administrator Rights Stanclift, Michael (Dec 05)
- Re: Peeling off desktop Administrator Rights Stanclift, Michael (Dec 07)
- Re: Peeling off desktop Administrator Rights Kevin Shalla (Dec 07)
- Re: Peeling off desktop Administrator Rights randy marchany (Dec 07)
- Re: Peeling off desktop Administrator Rights Gary Dobbins (Dec 07)
- Re: Peeling off desktop Administrator Rights Dave Kovarik (Dec 07)
- Re: Peeling off desktop Administrator Rights Plesco, Todd (Dec 07)
- Re: Peeling off desktop Administrator Rights Iovino, Gabriel G (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights David Escalante (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)

(Thread continues...)