?
Solved

Users with Local Administrator rights.

Posted on 2009-12-16
7
Medium Priority
?
274 Views
Last Modified: 2013-12-04
The company I work for has grown quite a bit over the last few years. Three years ago our locations were linked via site-to-site vpn's,  a domain was created, and all users and computers were joined to that domain. We are a specialty company and most of our users are engineers or technicians that need the ability to install software, so all users have been setup as local administrators.

I started with the company two years ago and immediately pointed out the huge security problem with making users local administrators. The main problem is that all users can browse admin shares on all other computers, especially the executives' computers.

Users still need the ability to install software, but how can I lock down the domain to prevent users from browsing admin shares on other computers in the domain without stopping them from installing software?

Is there a white paper or best practices paper that I can use as a guideline implement a security policy?
0
Comment
Question by:brayn
  • 4
  • 2
7 Comments
 
LVL 11

Accepted Solution

by:
enriquecadalso earned 800 total points
ID: 26065884
Local administrators can not browse the administrative shares in the computers where they are not administrators. Remove them from the local administrators group in those "executive computers".

You could also disable the administrative shares

http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips/Security/RemoveAdminShares.html

You can use restricted groups by GPO to limit how is how in each computer.

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
0
 

Author Comment

by:brayn
ID: 26065918
I should have worded it a little differently. Domain Users are members of the local administrators group. Eventually we are going to remove some domain users from the local admins group, but most of our users will need to remain in order to have the ability to install software.

Prior to submitting this question I have run some tests using restricted groups and that seems to be the best solution so far.
0
 
LVL 5

Expert Comment

by:artoaperjan
ID: 26165306
the strangest thing about this question is that

why would a network admin allow users to install applications? it is totally wrong.
you are saying that users need to be able to install applications and it sound like installing application is the only thing that your users do.

giving this sort of access it not correct it is TOTALY WRONG go to your general manager and IT manager and hit them in the head and say it is not allowed.

if i would know which company are you I would hack everything you have in your company.
it is like welcoming all the viruses like walking naked in the middle of the city :)

I am sorry for my hard words but it is true. I didnt want to offend you.

regards
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 

Author Comment

by:brayn
ID: 26170459
The reason that users need to be able to install applications is because most of our users are technicians who go out into the field and work on many different types of equipment. Sometimes they need to be able to install proprietary software in order to access and/or program the equipment. They are also on call and have to go out into the field at all hours of the night, so it would not be good to prevent them from being able to install software especially if they are out in the field at 2:00AM.
0
 
LVL 11

Expert Comment

by:enriquecadalso
ID: 26171133
Hello again brayn. The wrong step here is to put domain users as local administrators. You should add each user to his own computer as a local administrator. That way they will be able to install softwares on their computers but won't have administrative rights in the LAN.

Now when a user try to browse a C$ resource in another computer, that another computer have defined (by local policies) that only local administrators are able to access the C$ share. But local administrators are domain users, so any user in the domain can access the C$ share. If the number of executives' computers is small you can remove the Domain users group from the local administrators group in those computers. But to keep Domain users as local administrators will still be a mistake.

Please, let me know if you can not undestand my english, it is not my native languate and the explanation can be a bit confusing.
0
 

Author Comment

by:brayn
ID: 26180675
I appreciate the responses. I have been working with restricted groups as I think this would be a better way to approach this. I have created user security groups and organized computers and laptops into OU's to which I applied group policies. This way a technician would be able to access another technicians admins share, but would not have access to a managers admin share. The technician also would not have local admin rights if they were to log into a managers computer. This will also allow me to more finely control a groups rights based on their title within the company.
0
 

Author Comment

by:brayn
ID: 26180703
The only problem with the restricted groups is a few users have had issues with their local profile after the restricted groups policy has been applied. In order to correct the problem I have to give the user permissions to the profile and then point the registry key back to the correct profile. I am going to have to submit another question as to why this is happening.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question