Removing local administrator rights from end users

Posted on 2005-04-01
Medium Priority
Last Modified: 2013-12-04
In an attempt to stop spyware/adware installations on our end user's PCs, as well as other installations of software by end-users, we have decided to remove administrator and power user status on all Windows XP workstations.  

I have been told by many administrators that because this stops users from installing software, that spyware/adware can't be installed if the user does not have these rights.

My only problem is proxy settings for laptop users.  When a field user is at a hotel they need to be able to get to the internet without a proxy.  When they are at our site they need to put in a proxy setting to get to the internet.  How can we have users be able to change proxy settings while at the same time locking down the workstations to other installs and changes?and  keep them as a restricted user?   Some background - at this time we are not on Active Directory.  Workstations are windows XP pro.

Question by:Lotus30306
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 15

Assisted Solution

davidis99 earned 375 total points
ID: 13692599
"we have decided to remove administrator and power user status on all Windows XP workstations...because this stops users from installing software."

Not really.  A great deal of spyware is designed to bypass standard Windows limitations on user accounts, either by installing itself to non-standard folders (e.g. NOT in the \program files\ or \windows\ folders), while some spyware gets installed simply by browsing a website that when reading the page, installs the spyware to the PC.  

For laptop users, I'd suggest you standardize on one or two methods for remote access - one being a standard dialup service for areas where there is no broadband access, the second being a VPN client on the laptops to allow them to connect back to the office to work using their standard proxy.   Typically, the maker of your firewall will include VPN client licenses and software with your firewall purchase, but if not, there are third party VPN client programs available for purchase (some of which are options from your firewall manufacturer.)
LVL 38

Accepted Solution

Rich Rumble earned 375 total points
ID: 13694300
Get fimilar with RunAs, and try my VBS/VBE tips here: http://xinn.org/RunasVBS.html

You can typically open the NETWORK  .CPL file with runas "Ncpa.cpl" is the file name

But this somtimes fails, so you have to open IE as the localadmin, and have them either go to a saved favorite, or have them type in "network connections" in the URL line. This will give them admin of the network connections panel. All of the other CPL files can infact be called with runas, directly... this one, and control panel itself seem to be "immune" to direct calls via runas. You can make short cut's also to open control panel as another user, but then they have to know the admin pass... with the script's I have listed, once they are Encoded, then they cannot read the password any longer.

Option explicit
dim oShell
set oShell= Wscript.CreateObject("WScript.Shell")
' Replace the path with the program you wish to run c:\ etc...
oShell.Run "runas /noprofile /user:%computername%\administrator ""c:\Program Files\Internet Explorer"\iexplore.exe -e -nohome"""
WScript.Sleep 100
'Replace the string yourpassword below with
'the password used on your system. Include tilde
oShell.Sendkeys "yourpasswordhere~"

This open's IE as a blank page, but has admin priv's so it's imparitive they close the window once the changes are made.
You may need to use this for the favorite
That sequece open control panel. (include the ::'s and braces)

You can even have a script add them to the local admin's group for a set period, and remove them without them knowing what happened...

FYI, this will stop 20% of the spy-ware your users get (moving them down to user or even guest) I'd suggest trying to get them to use FireFox or another browser when ever possible. That will cut spy-ware by 99%

Author Comment

ID: 13697731

We use dial up when no high speed connection is available.  When a high speed connection is available (wireless or wired) we use Cisco's VPN client to connect to our network.  However, if we hard code our proxy settings into IE, then the user can't get to the login screen for the high speed provider.  Some places still allow you to get to the login page even with our proxy (very nice) but not always (so the user has to go back and forth which we want to lock down).  

Does anyone out there manage 20 or more field users and if so how are they allowing these users high speed access while at the same time using a proxy and locking the machines down so most installs are not possible?


Author Comment

ID: 13697754

I am really confused by your answer and how it would help me change proxy settings for IE for users with limited access on their machine.  I don't like the idea of putting the admin password in a script file.

Is there a way to lock down the machines yet allow users to change proxy settings?

LVL 38

Expert Comment

by:Rich Rumble
ID: 13698492
There are other utilities that will encrypt the password so you can use runas, my example they are encoded, which is easily reversed- however it's beyond most end-users abilities to do so. Also, the account shouldn't be THE local admin's, but a member of the local admins group- since most people set the same administrator pass for the local admin on all pc's. This would give them access to their own machine only if they did manage to reverse the encoding.
RunAs professional is such a utility, but users can't be trusted to do these settings on their own, so perhaps a script that does it can be used, and if they are on dial-up, then can click the script and it will remove the proxy settings. http://www.mast-computer.com/c_3-s_38-l_en.html (pricey) http://www.mast-computer.com/c_9-l_en.html

Our users have XP with proxy, we are using the proxy config available in the 4.1.6 client code (the concentrator must also be up2date)

http://www.cisco.com/en/US/products/sw/secursw/ps2308/prod_release_note09186a00802d398a.html (look for proxy settings)
Browser Proxy Configuration
Browser proxy configuration is ONLY available using the Release 4.1.6 VPN Concentrator code.
During mode config, the VPN Client negotiates a new mode config attribute to determine whether to change the value of a user's browser proxy setting. The VPN Client adminstrator controls the setting of the attribute through a parameter in the PCF file. This feature is being implemented for Windows (all platforms) only and for Internet Explorer only.
You can configure the VPN Concentrator to push proxy configuration settings into Microsoft Internet Explorer when Windows clients connect to it. The settings are on the Client Config tab of Group configuration. You can configure the VPN Concentrator to not modify proxy settings ("Do not modify proxy settings") , to push settings to disable existing proxy configuration ("No Proxy Settings"), to push settings to auto-detect a proxy ("Auto-Detect Proxy settings"), and to push explicit proxy settings ("Use Proxy Server/Port listed below").
With the "Use Proxy Server/Port listed below" setting, you can push a proxy server address, a proxy exception list, and whether the browser will exclude the proxy for local adresses.
After disconnecting, proxy settings are restored to what they were before the VPN connection was established. If a workstation is improperly shut down or rebooted while a VPN connection is established, proxy settings will be restored on boot-up.

We also run a logon script to set the proxy settings up when they are connected locally. http://www.windowsitpro.com/WindowsScripting/Article/ArticleID/42105/42105.html
We use similar code in our script. This script can be run using the runas vbe files I describe.

Featured Post

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses
Course of the Month12 days, 11 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question