Solved

local admin rights

Posted on 2009-05-15
8
569 Views
Last Modified: 2013-11-05
Experts,
I am compiling a checklist that we want our domain/network admins to consider before authorising any requests from users as to whether they should or should not be allowed local admin rights on their PC. Have any of you done a similar exercise in your organisation and what are key issues you consider that give the end user a yes or no as to whether their request is appropriate (to ensure we havent overlooked anything).
Cheers,
0
Comment
Question by:pma111
8 Comments
 
LVL 21

Accepted Solution

by:
snusgubben earned 100 total points
ID: 24394477
Two thoughts:

1. When a user is local admin on a PC the risk to get a virus infection i higher. This can result in infecting files in file shares, e-mail spamming and brute'n force attacks in your internal network.

2. This will also give the user the ability to install software locally. This can result in slowing down the PC. A slow PC result in a slow working person.
0
 
LVL 3

Author Comment

by:pma111
ID: 24394658
Thanks snusgubben, I'll see if anything else gets added by others...
0
 
LVL 27

Assisted Solution

by:bluntTony
bluntTony earned 200 total points
ID: 24394947
Hi,

I agree with snusgubben - elevated user rights = elevated risk. What case would you consider acceptable to have user as a local admin?

What reasons are your users giving to be a local admin? Depending on the requests, you might be able to be more granular in granting certain rights.
0
 
LVL 3

Author Comment

by:pma111
ID: 24395080
Hi bluntTony:

The main reasons we are getting range from certain apps not working properly unless they have local admin rights, certain functionality within software and apps not working without local admin rights, and some bizarre ones that dont seem to be justified which have been point blank rejected.

Out of interest then, I'd be interested to know which scenarios / reasons you agree with the user and grant a user local admin, and which scenarios / reasons you dont.

Regards
0
 
LVL 6

Assisted Solution

by:Froggy_chris
Froggy_chris earned 100 total points
ID: 24395115
Hi,

I usually stick to the the policy: No rights for users except the rights they must have to work. That said, I haven't met yet any situation where the user has to be Local Admin. So if the user has not to be, he won't be ":)

Security has to be thought is a "reverse"way.. so do not think of reason why they shuld not be admin, but think in term of reason why they should be.

A big think you habe to bear in mind (if you're not using App virtualisation) : the extensive tests for new application. there still is a lot of app that won't work properly (you offen have to play with Procmon and find out waht is accessed). then permission for a given app can be arranged through a given GPO for the users.

0
 
LVL 27

Assisted Solution

by:bluntTony
bluntTony earned 200 total points
ID: 24395215
In general I would say there are not many cases where standard users should have admin rights. Identify the tasks that users need to perform and grant those rights accordingly through group membership and local/group policy.

I suppose the correct answer for your problem would be to identify exactly where the problems are in the file system/registry that are causing the access problems in the software and relax the security on them. From this you can create a security template you can then apply to your workstations. I know this is easier said than done though.

However, if the software is quite old, it may be that it's based on the old NT4 security model. This can cause problems on newer systems where seemingly harmless processes require local admin rights.

MS's fix for this is the compatws.inf security template in C:\windows\security\templates. Sometimes applying this polices relaxes the security on certain files/reg keys and allows the older apps to work for non-admins. Like I say though, this may not be applicable to you.
0
 
LVL 6

Assisted Solution

by:slinkygn
slinkygn earned 100 total points
ID: 24396674
http://www.threatcode.com/

Is a great resource for solutions for programs that insist on running in Administrator (or Power User) accounts.  It is much better to give limited users the specific permissions to the resources they need to run those specific programs than to give them blanket privileges to everything on the system for just a few programs.  The site also mentions the LUABuglight program, which allows you to figure out the specific access permissions yourself for programs that aren't listed.

For a much niftier commercial solution, Privilege Manager from BeyondTrust (http://www.beyondtrust.com/) allows you to configure per-program permissions, so you can easily set programs up to have what access level they need to run while leaving users with limited accounts.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24396750
Like the link sliknygn.

I noticed Quickbooks was on the 'hall of shame' list. This app I had to work around by applying compatws.inf.
0

Join & Write a Comment

My last post dealt with using group policy preferences to set file associations, a very handy usage for a GPP. Today I am going to share another cool GPP trick, this may be a specific scenario but I run into these situations frequently in my activit…
I'm sure that every Windows systems administrator has written, or at least used, a batch or VBS login script at some point in their career, whether it is to map network drives, install printers, or set some user preferences.  No more! With Window…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now