?
Solved

Lock down local admin account

Posted on 2006-11-22
17
Medium Priority
?
1,115 Views
Last Modified: 2007-11-27
I have recently locked down the local admin account on all my network machines.  Now I must justify it.  This should be fun for all experts, I have a few reasons but I would like many.  Can you give me a list?  FYI..  every user had local admin rights with their own user names and passwords on multiple machines.
0
Comment
Question by:darovitz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 3
  • +4
17 Comments
 
LVL 66

Expert Comment

by:johnb6767
ID: 17997849
You locked it down intentionally, and would like supporting reasons? Am I understanding this right?

0
 

Author Comment

by:darovitz
ID: 17997933
Yes.  I will assign power users to some accounts as I find out who they are.
0
 

Author Comment

by:darovitz
ID: 17997935
Not locked out, locked down.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 66

Expert Comment

by:johnb6767
ID: 17998016
Personally, I always rename the Administrator Account to one of my personal support accounts on my machines. Then I will rename the guest account to Administrator. That way, if someone tries to get Administrator user on my machine, then they wont have rights for ANYTHING. Unless there is an exploit that isnt patched yet, I am sure.

Granted you can still get Admin level access with a domain admin user account, right?



0
 
LVL 15

Assisted Solution

by:adamdrayer
adamdrayer earned 200 total points
ID: 17998188
This is an extremely touchy subject with alot of windows administrators.  So much so, that 50% of the conversations you hear about Vista revolve around their revamping of the whole local admin/power user model into what is commonly referred to as the UAC (User Access Control).  I'm not gonna get too much into that because I am still learning exactly how it works.

The truth is that most of the time, the software you run dictates what access your users have.  Many software vendors require you to grant your users local admin privs for their software to work.  This is so annoying as an admin, that I've actually contemplated changing professions as a result.  The only way around this while not granting users local admin access is to individually grant granular access to every registry key and file/directory required to run the software correctly, and good luck getting that out of software engineers.  Even if you do, the software might change from year to year and it will also take days if not weeks to troubleshoot with tech support.  Chances are they won't even help you unless you grant the user local admin like their installation manual requires!

Most admins don't deal with this and simply grant the user local admin status and simply safeguard against things by locating all data on a network drive, rendering the workstation only responsible for windows and program installs.  This way you can quickly ghost a computers that get corrupted.

So normally to keep networks at their most scalable and flexible, I dedicate my time to configuring the computers so that local admin privs do not grant them any potentially dangerous access, rather than trying to pick and configure software yo work with less-than-elevated privlidges.

Not the answer you are looking for, but my 2 cents nonetheless.  

I would not, however, just remove local admin status from users without verifying first that it doesn't brake any software or any harmless user work habits.
0
 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 800 total points
ID: 17998536
Its more of a touchy subject with windows users also.    

I'm sure the lock down of local admin rights is an attempt to futher secure his network.   Good job.   Controlling admin rights to the local machines is an important step to a secure network.  

If I understoof the question, darovitz isn't looking for help doing this, he's looking at this from a justification perspective so that if a user with clout starts complaining that he can no longer install the 'flying toaster' screensaver (or whatever) darovitz has his butt covered.  

So here's my input, and its the same reasons I've given at my company for removing certain rights:
1) Removal of admin rights protects the user from computer failure by ensuring applications and processes are not accidentally run that cause any sort of system failure.  (Translation: this will keep Ted in accounting from running Disk manager and deleting partitions because he needed more space).  
2) By preventing system failure and maximizing 'uptime' all employees are more productive.   No one need to wait for Tech help or machine re-images to get back up and running.
3) Removal of admin rights prevents the tampering of the security logs.    Ensuring that only authorized employee may access th logs.   (Translation: Security and Audit will LOVE you, so will any examiners if you are a Bank or something similiar)
4) Guarantees that no unauthorized copy of software is installed or unauthorized upgrades are performed to the machines (Translation: Leave World of Warcraft at home)
5) No new hardware can be installed without authorization, again helping the uptime and keeping people productive (Translation: Ted in accounting tried to install his Palm pilot on every machine so that he could float around desks.... he crashed them all instead)

I think you get the idea....
0
 
LVL 22

Assisted Solution

by:mcsween
mcsween earned 800 total points
ID: 17998648
I am a firm beliver that a user must JUSTIFY a scnerio where they need Admin access.  As of right now I have about 300 workstations on the network and only about 10 users besides IT staff have Admin on their own box.  These users are all laptop users and need to have the ability to assign static IPs to their computers at customer sites.

Reasons to deny Admin on user's workstations:

1. Admins can revert ALL group policies if they know the registry (this means you can't force any settings to anyone) THIS IS THE MOST IMPORTANT ONE
2. Admins can install any software they like.  Including pirated software, key loggers (if shared computer i think you see the security problem here), viruses, etc...  M$ fines for pirated licenses can be upwards of $10,000 US per copy.
3. If the computer is shared admins have access to everyone's files
4. Admins can bypass most filters applied to their computer.  They can also setup IE to use external proxy servers to bypass internet filters.
5. Admins have the ability to set security on files/folders/services/etc... that can potentially create a gaping security hole into your network.
6. Admins can change all configuration settings so you get calls like "I did something but I don't remember what; now I don't have access to the network"  or "I can't access the network all of a sudden.  I didn't do anything." (trying to stay out of trouble here).
7. Users cannot be trusted to keep their passwords secure.  They share passwords, use things like kids/pets/spouse's names, birthdates, and other things that are easily obtainable.  I can guess most user's passwords here in less than 5 tries.  If a password isn't secure and someone can guess it then anyone can be the admin for that box and do whatever they like.  We service many competing customers here (eg. Crest and Colgate).  I don't think Colgate would be happy if someone from Crest was able to jump on a PC here and bump across some new carton artwork or something.


There are just so many reasons I can't possibly list them all here.  Most revolve around security and system stability.  Both of these directly impact process relilability and productivity.  If a user junks their computer up with chat programs (and all the spyware that comes with them) their computer will become very slow.  This means tasks that used to take a minute or two can take 15 minutes to complete now.  This is  a big hit to productivity.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17999755
touchy is a good word for this....different scenarios require different answers....most of the clients i deal with would simply walk away if I told them they cannot have admin rights......the workaround is to slam them down with group policy   just my $0.02
0
 
LVL 40

Accepted Solution

by:
Fatal_Exception earned 200 total points
ID: 17999794
Well, I think all of us agree that we would love to lock down every system that come under our 'domain', but sometimes this cannot be the case...  as mentioned above, and in my company where I manage approx. 500 clients, there is some software that needs admin rights to run..  When I started locking down my systems (Poweruser accts.) I found it generated an abundance of support calls, and I had to jump through some hoops make everyone happy..  finally, just reverted to placing everyone in the Local Admin Group.. lol, eh?  

I found that most of the problems that were generated outweighed the necessity to not give away these rights..  I now scan the network for unauthorized software and watch carefully the logs from my routers, etc...  

When it comes right down to it, I suggest you not go against the grain on this one..  Especially if this is coming from the exec floor..  :)
0
 

Author Comment

by:darovitz
ID: 17999905
Ok... now how do I give them all power user rights...
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17999925
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 18000089
As James says, restricted groups will do it..  or you can go to each machine and add the user to the Power Users group...  but remember, Power Users are just users with elevated privileges...  still may have some issues to deal with here..
0
 

Author Comment

by:darovitz
ID: 18000103
Ok.. that was fun (and a pain).  Now all my machines are clean and I know who needs local admin rights and which software they are using.

I removed the restricted groups policy and all is well.

I would not advise anyone to do what I did unless you know your users.
0
 

Author Comment

by:darovitz
ID: 18000141
Good job everyone, I learned allot.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18000187
restriced groups can be tricky too :)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 18000214
Fun?  :)

Glad you got it resolved though!  Have a great week!
0
 
LVL 22

Expert Comment

by:mcsween
ID: 18005363
I use a computer startup script to assign power user rights to everyone.  Assign a gpo to the OU where all your workstations are.

net localgroup /add "power users" "authenticated users"
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

FIPS stands for the Federal Information Processing Standardisation and FIPS 140-2 is a collection of standards that are generically associated with hardware and software cryptography. In most cases, people can refer to this as the method of encrypti…
The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question