[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

local admin rights

Posted on 2009-05-15
8
Medium Priority
?
581 Views
Last Modified: 2013-11-05
Experts,
I am compiling a checklist that we want our domain/network admins to consider before authorising any requests from users as to whether they should or should not be allowed local admin rights on their PC. Have any of you done a similar exercise in your organisation and what are key issues you consider that give the end user a yes or no as to whether their request is appropriate (to ensure we havent overlooked anything).
Cheers,
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 21

Accepted Solution

by:
snusgubben earned 400 total points
ID: 24394477
Two thoughts:

1. When a user is local admin on a PC the risk to get a virus infection i higher. This can result in infecting files in file shares, e-mail spamming and brute'n force attacks in your internal network.

2. This will also give the user the ability to install software locally. This can result in slowing down the PC. A slow PC result in a slow working person.
0
 
LVL 3

Author Comment

by:pma111
ID: 24394658
Thanks snusgubben, I'll see if anything else gets added by others...
0
 
LVL 27

Assisted Solution

by:bluntTony
bluntTony earned 800 total points
ID: 24394947
Hi,

I agree with snusgubben - elevated user rights = elevated risk. What case would you consider acceptable to have user as a local admin?

What reasons are your users giving to be a local admin? Depending on the requests, you might be able to be more granular in granting certain rights.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 3

Author Comment

by:pma111
ID: 24395080
Hi bluntTony:

The main reasons we are getting range from certain apps not working properly unless they have local admin rights, certain functionality within software and apps not working without local admin rights, and some bizarre ones that dont seem to be justified which have been point blank rejected.

Out of interest then, I'd be interested to know which scenarios / reasons you agree with the user and grant a user local admin, and which scenarios / reasons you dont.

Regards
0
 
LVL 6

Assisted Solution

by:Froggy_chris
Froggy_chris earned 400 total points
ID: 24395115
Hi,

I usually stick to the the policy: No rights for users except the rights they must have to work. That said, I haven't met yet any situation where the user has to be Local Admin. So if the user has not to be, he won't be ":)

Security has to be thought is a "reverse"way.. so do not think of reason why they shuld not be admin, but think in term of reason why they should be.

A big think you habe to bear in mind (if you're not using App virtualisation) : the extensive tests for new application. there still is a lot of app that won't work properly (you offen have to play with Procmon and find out waht is accessed). then permission for a given app can be arranged through a given GPO for the users.

0
 
LVL 27

Assisted Solution

by:bluntTony
bluntTony earned 800 total points
ID: 24395215
In general I would say there are not many cases where standard users should have admin rights. Identify the tasks that users need to perform and grant those rights accordingly through group membership and local/group policy.

I suppose the correct answer for your problem would be to identify exactly where the problems are in the file system/registry that are causing the access problems in the software and relax the security on them. From this you can create a security template you can then apply to your workstations. I know this is easier said than done though.

However, if the software is quite old, it may be that it's based on the old NT4 security model. This can cause problems on newer systems where seemingly harmless processes require local admin rights.

MS's fix for this is the compatws.inf security template in C:\windows\security\templates. Sometimes applying this polices relaxes the security on certain files/reg keys and allows the older apps to work for non-admins. Like I say though, this may not be applicable to you.
0
 
LVL 6

Assisted Solution

by:slinkygn
slinkygn earned 400 total points
ID: 24396674
http://www.threatcode.com/

Is a great resource for solutions for programs that insist on running in Administrator (or Power User) accounts.  It is much better to give limited users the specific permissions to the resources they need to run those specific programs than to give them blanket privileges to everything on the system for just a few programs.  The site also mentions the LUABuglight program, which allows you to figure out the specific access permissions yourself for programs that aren't listed.

For a much niftier commercial solution, Privilege Manager from BeyondTrust (http://www.beyondtrust.com/) allows you to configure per-program permissions, so you can easily set programs up to have what access level they need to run while leaving users with limited accounts.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24396750
Like the link sliknygn.

I noticed Quickbooks was on the 'hall of shame' list. This app I had to work around by applying compatws.inf.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question