Solved

Lock down local admin account

Posted on 2006-11-22
17
1,107 Views
Last Modified: 2007-11-27
I have recently locked down the local admin account on all my network machines.  Now I must justify it.  This should be fun for all experts, I have a few reasons but I would like many.  Can you give me a list?  FYI..  every user had local admin rights with their own user names and passwords on multiple machines.
0
Comment
Question by:darovitz
  • 5
  • 3
  • 3
  • +4
17 Comments
 
LVL 66

Expert Comment

by:johnb6767
ID: 17997849
You locked it down intentionally, and would like supporting reasons? Am I understanding this right?

0
 

Author Comment

by:darovitz
ID: 17997933
Yes.  I will assign power users to some accounts as I find out who they are.
0
 

Author Comment

by:darovitz
ID: 17997935
Not locked out, locked down.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 17998016
Personally, I always rename the Administrator Account to one of my personal support accounts on my machines. Then I will rename the guest account to Administrator. That way, if someone tries to get Administrator user on my machine, then they wont have rights for ANYTHING. Unless there is an exploit that isnt patched yet, I am sure.

Granted you can still get Admin level access with a domain admin user account, right?



0
 
LVL 15

Assisted Solution

by:adamdrayer
adamdrayer earned 50 total points
ID: 17998188
This is an extremely touchy subject with alot of windows administrators.  So much so, that 50% of the conversations you hear about Vista revolve around their revamping of the whole local admin/power user model into what is commonly referred to as the UAC (User Access Control).  I'm not gonna get too much into that because I am still learning exactly how it works.

The truth is that most of the time, the software you run dictates what access your users have.  Many software vendors require you to grant your users local admin privs for their software to work.  This is so annoying as an admin, that I've actually contemplated changing professions as a result.  The only way around this while not granting users local admin access is to individually grant granular access to every registry key and file/directory required to run the software correctly, and good luck getting that out of software engineers.  Even if you do, the software might change from year to year and it will also take days if not weeks to troubleshoot with tech support.  Chances are they won't even help you unless you grant the user local admin like their installation manual requires!

Most admins don't deal with this and simply grant the user local admin status and simply safeguard against things by locating all data on a network drive, rendering the workstation only responsible for windows and program installs.  This way you can quickly ghost a computers that get corrupted.

So normally to keep networks at their most scalable and flexible, I dedicate my time to configuring the computers so that local admin privs do not grant them any potentially dangerous access, rather than trying to pick and configure software yo work with less-than-elevated privlidges.

Not the answer you are looking for, but my 2 cents nonetheless.  

I would not, however, just remove local admin status from users without verifying first that it doesn't brake any software or any harmless user work habits.
0
 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 200 total points
ID: 17998536
Its more of a touchy subject with windows users also.    

I'm sure the lock down of local admin rights is an attempt to futher secure his network.   Good job.   Controlling admin rights to the local machines is an important step to a secure network.  

If I understoof the question, darovitz isn't looking for help doing this, he's looking at this from a justification perspective so that if a user with clout starts complaining that he can no longer install the 'flying toaster' screensaver (or whatever) darovitz has his butt covered.  

So here's my input, and its the same reasons I've given at my company for removing certain rights:
1) Removal of admin rights protects the user from computer failure by ensuring applications and processes are not accidentally run that cause any sort of system failure.  (Translation: this will keep Ted in accounting from running Disk manager and deleting partitions because he needed more space).  
2) By preventing system failure and maximizing 'uptime' all employees are more productive.   No one need to wait for Tech help or machine re-images to get back up and running.
3) Removal of admin rights prevents the tampering of the security logs.    Ensuring that only authorized employee may access th logs.   (Translation: Security and Audit will LOVE you, so will any examiners if you are a Bank or something similiar)
4) Guarantees that no unauthorized copy of software is installed or unauthorized upgrades are performed to the machines (Translation: Leave World of Warcraft at home)
5) No new hardware can be installed without authorization, again helping the uptime and keeping people productive (Translation: Ted in accounting tried to install his Palm pilot on every machine so that he could float around desks.... he crashed them all instead)

I think you get the idea....
0
 
LVL 21

Assisted Solution

by:mcsween
mcsween earned 200 total points
ID: 17998648
I am a firm beliver that a user must JUSTIFY a scnerio where they need Admin access.  As of right now I have about 300 workstations on the network and only about 10 users besides IT staff have Admin on their own box.  These users are all laptop users and need to have the ability to assign static IPs to their computers at customer sites.

Reasons to deny Admin on user's workstations:

1. Admins can revert ALL group policies if they know the registry (this means you can't force any settings to anyone) THIS IS THE MOST IMPORTANT ONE
2. Admins can install any software they like.  Including pirated software, key loggers (if shared computer i think you see the security problem here), viruses, etc...  M$ fines for pirated licenses can be upwards of $10,000 US per copy.
3. If the computer is shared admins have access to everyone's files
4. Admins can bypass most filters applied to their computer.  They can also setup IE to use external proxy servers to bypass internet filters.
5. Admins have the ability to set security on files/folders/services/etc... that can potentially create a gaping security hole into your network.
6. Admins can change all configuration settings so you get calls like "I did something but I don't remember what; now I don't have access to the network"  or "I can't access the network all of a sudden.  I didn't do anything." (trying to stay out of trouble here).
7. Users cannot be trusted to keep their passwords secure.  They share passwords, use things like kids/pets/spouse's names, birthdates, and other things that are easily obtainable.  I can guess most user's passwords here in less than 5 tries.  If a password isn't secure and someone can guess it then anyone can be the admin for that box and do whatever they like.  We service many competing customers here (eg. Crest and Colgate).  I don't think Colgate would be happy if someone from Crest was able to jump on a PC here and bump across some new carton artwork or something.


There are just so many reasons I can't possibly list them all here.  Most revolve around security and system stability.  Both of these directly impact process relilability and productivity.  If a user junks their computer up with chat programs (and all the spyware that comes with them) their computer will become very slow.  This means tasks that used to take a minute or two can take 15 minutes to complete now.  This is  a big hit to productivity.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17999755
touchy is a good word for this....different scenarios require different answers....most of the clients i deal with would simply walk away if I told them they cannot have admin rights......the workaround is to slam them down with group policy   just my $0.02
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 40

Accepted Solution

by:
Fatal_Exception earned 50 total points
ID: 17999794
Well, I think all of us agree that we would love to lock down every system that come under our 'domain', but sometimes this cannot be the case...  as mentioned above, and in my company where I manage approx. 500 clients, there is some software that needs admin rights to run..  When I started locking down my systems (Poweruser accts.) I found it generated an abundance of support calls, and I had to jump through some hoops make everyone happy..  finally, just reverted to placing everyone in the Local Admin Group.. lol, eh?  

I found that most of the problems that were generated outweighed the necessity to not give away these rights..  I now scan the network for unauthorized software and watch carefully the logs from my routers, etc...  

When it comes right down to it, I suggest you not go against the grain on this one..  Especially if this is coming from the exec floor..  :)
0
 

Author Comment

by:darovitz
ID: 17999905
Ok... now how do I give them all power user rights...
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17999925
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 18000089
As James says, restricted groups will do it..  or you can go to each machine and add the user to the Power Users group...  but remember, Power Users are just users with elevated privileges...  still may have some issues to deal with here..
0
 

Author Comment

by:darovitz
ID: 18000103
Ok.. that was fun (and a pain).  Now all my machines are clean and I know who needs local admin rights and which software they are using.

I removed the restricted groups policy and all is well.

I would not advise anyone to do what I did unless you know your users.
0
 

Author Comment

by:darovitz
ID: 18000141
Good job everyone, I learned allot.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18000187
restriced groups can be tricky too :)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 18000214
Fun?  :)

Glad you got it resolved though!  Have a great week!
0
 
LVL 21

Expert Comment

by:mcsween
ID: 18005363
I use a computer startup script to assign power user rights to everyone.  Assign a gpo to the OU where all your workstations are.

net localgroup /add "power users" "authenticated users"
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now