Solved

Security

Posted on 2006-07-07
21
246 Views
Last Modified: 2013-12-04
I have a user in my work environment running PLC programming and he is requesting he need a local admin privellege for running that program and therefor he need local admin access with his domain user name. I was speaking to his Manager and told him that usually application doesn't need admin privellege. The worst case his program may be defined in a way that he need write access to certain file in system32 or any windows folder which may require access. His manager is worst than him for explanation. He is fighting that this person need admin access. By IT policy i didn't provide any local admin to any one and it doesn't make sense to me for my knowldge.  There are two admin privelleges one is local admin and other one domain admin. I am the one has domain admin login. I want to know how the security could effect if the domain user is member of local admin. Please explain. Thanks in advance.
0
Comment
Question by:ittechlab
  • 5
  • 4
  • 4
  • +3
21 Comments
 
LVL 14

Accepted Solution

by:
ECNSSMT earned 125 total points
ID: 17062873
Local admin priveleges on the user's Computer only means he gets to mess up his own computer; lock stock and barrel.  It will not effect anything on the domain.  His rights on the domain will still be whatever the domain admin gives the account.

The local admin privileges that you enable for his domain account is not transferrable to another computer;

so he can't mess up on another computer (too much <grin>).

Regards,
 

0
 
LVL 24

Assisted Solution

by:SunBow
SunBow earned 125 total points
ID: 17063099
ditto ECNSSMT

But it is still undeniable power to one with hands on. In many ways I think everyone should have local admin as it is their box.

What kind of program do they want to make? I cann't think offhand of need for admin rights other than for initial product install, unless all domain users are locked down too tight (abusive).

Given conflict and uniqueness, I'd suggest thinking about keeping him off of the domain. Let him have a test domain, own lan, etc. IT policy is either for all to follow or it is useless. If they do not like it, then get policy rewritten so everybdoy knows the rules and is on same playing field
0
 
LVL 14

Expert Comment

by:ECNSSMT
ID: 17063374
SunBow;

For me it can go either way; it becomes an issue of how much the general user use or misuse the privilege.  Frankly; I can ghost a machine in 15 minutes and install apps in another 45 minutes depending on the build requirement.  So anything a user does to 'destroy' a PC; it can be rebuilt.  

Now the problem becomes; what is the ramification if the user installs illegal software; installs software that utilizes too much bandwidth or causes management a discomfort or issues.

> Let him have a test domain, own lan, etc
Wow I want to work for you...

Regards,
0
 

Author Comment

by:ittechlab
ID: 17063579
Still the theroy doesn't make sense. This user keep asking local admin privellege for his domain user id. He is using PLC machine program. He is programmer. Anyway, the theroy i confused is most application doesn't need the admin privellege unless they install/uninstall the software. For example if he got some virus because of any installation software isn't that going to spred around the network. As system admin i am trying to restrict the user to install programs. I am in a bad place now. People come and asked me to fix issue within 5min. I never used that 3rd party software ever. Many people uses many software. They think IT person should be able to fix anything right away. Its hard to explain to enduser. I don't how this concepts works.  Now i am supporting

lotus domino/notes
Server 2003
Database administratoion
Help desk for 120 users.

they want me to create DRP and so many other duties. I am only one person in the company.  I have recently got a Unix support job offer. I am thinking to switch from here. I think i will be able to concenrate on one thing and stable.
0
 
LVL 87

Expert Comment

by:rindi
ID: 17064463
If you have to give him local admin rights, get him to first sign a contract which makes him responsible for the damage he does, for instance that he (or his department) can be made to pay for the time you waste to setup his PC again...

Then switch to the unix job, it is much more rewarding :)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17064572
Look into runas, but local admin on one pc, should be ok. Try power user rights first incase that's enough, you don't always need admin to do admin things. Change the local admin password to one that is different than the others on the domain, in addition, if admin is a must, simply create another user on the pc, and add that to the local admins.
Perhaps scheduled tasks can help, you can create them to kick off upon login...
http://www.xinn.org/RunasVBS.html
-rich
0
 
LVL 14

Expert Comment

by:ECNSSMT
ID: 17065510
its not easy to say the least and sounds like you are overworked.  There should be at best 5 more of you there to provide a better tech to user ratio 1:20 or 1:40 depending on how the jobs are split up.  The user base vaguely sounds like something close to a runaway train with no control or reprocussion for the install of non company authorize software.  

As an act self preservation; it may be best to go for an alternate job.  But if you decide to stay; this issue from the tech side is

1. give his domain account local admin rights and it gives him the capability to mess up his computer.  your choice.  He probably does not know enough to write his app around needing specific services protected by Windows.

2. the structured rights that MS attempted to setup in a Windows Domain has been adhered to and circumvented by various application companies; the addition of their software may or may not require specific rights to add to certain existing folders, and may or may not require the addition of information to the registry. Confusing huh...

You may want to see about working with management to establish rules of conduct on the computer.  no porn on the computers, no visiting of non work related sites; no multi-cast broadcast sites like internet radio or Launch.  Then provide the costs of non-compliance; in terms of down time (cost of that person's salary during this act; cost of this person's down time; cost of lost productivity; cost of your time to repair this issue; cost of your diverted time from your actual project; while these costs may seem redundant to you; to a business manager it is a negative on many aspects of his reports.  But you see the idea).

Oh btw I've learned a long time ago; fixing a problem isn't just about fixing a problem.  If someone causes a problem by an action that they did, make you fix it and is not reported to management; the problem never happened and the cost of your time fixing the problem just disappeared.  So if you spent 4 hours fixing someone else's problem without it being recognized as an issue casused by a user and fixed by you; that was just 4 hours of productivity lost.

Hopefully I didn't go off on too wide of a tangent there...  Sorry if I did.

Regards,
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 17066856
hi ittechlab,

just make things easy! really no need to consider compromising with your policies, it will give you headache.

just let that person run his application in a virtual PC on his computer. he can have the admin rights on this VIRTUAL computer, he can run his system-folder-depended application on it, he can do anything on it as he like.

no worries about his admin rights. his rights only belong to that virtual computer. any thing the virtual computer can do depends on the rights his physical computer can do, which are actually controlled by you, the domain admin.

a lot of VM (Virtual Machine) solutions are available, either free or commercial.

Microsoft Virtual PC 2004
http://www.microsoft.com/windowsxp/virtualpc/

Microsoft Virtual Server 2005 (FREE!!)
http://www.microsoft.com/windowsserversystem/virtualserver/

VMware Workstation 5.5
http://www.vmware.com/

hope it helps,
bbao
0
 

Author Comment

by:ittechlab
ID: 17069345
I don't have anyone to backup my side. For whom i report he is always silent. I am totally trying to move from this company. I didn't like at all. I have to look for better job now. I think its very boring and also its touch for me to stay as one person doing this all.

I have to check all IT issues, Help Desk and Server issue. I guess i need to leave.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17069437
0
 

Author Comment

by:ittechlab
ID: 17069477
I do teach part-time and feel so happy. No issues like this and people are happy. In some company you don't get a reward for doing things. They treat like animal. I really frustrated about the job now.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17069993
Unfortunatly 9 times out of 10, the people who run companies and manage departments, have not idea how computers work, or even worse, think they know but are wrong. Further some are lazy and never listen anyway. It's often reffered to as Toxic Boss syndrome
http://abcnews.go.com/GMA/story?id=1251305
http://monster.typepad.com/monsterblog/2006/03/is_your_boss_to.html
http://adminsupport.monster.com/articles/bad-boss/
-rich
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 17070027
the topic changed? hehe. ;-))
0
 

Author Comment

by:ittechlab
ID: 17072418
I can't accept the above message. This is not always true. If you have confident and understand the concept why would you bother to stay and look for money. I always like to challenge. I don't have anyone in here for IT questions and discussion. Alwaysly users blaim computer issues so they get some time off from their work.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17072910
You can ask for your points back, and the question to be deleted in the community support TA if you'd like.
-rich
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 17073396
have you considered the VM based solution?
0
 

Author Comment

by:ittechlab
ID: 17073449
My company doesn't buy any VM software. Its so hard to get approval.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 17073519
Microsoft Virtual Server 2005 (FREE!!)
http://www.microsoft.com/windowsserversystem/virtualserver/
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now