Making users local admins - unavoidable? Never? Keeps users happy? Your thoughts?

In office settings (maybe SBS, maybe workgroups), do you make the average user a local admin (would you answer different for XP or Win 7?)?

Seems apps like quickbooks and likely many others don't run right if the user is not a local admin (yeah, I heard newer versions of QB fixed that?). Updates to java, flash, etc. need that.  seems like a big headache for the IT person that does break fix for them - you'll get loads of calls from users  'I can't do this, I can't do that', and again, some LOBs just won't work, right?

Am I wrong?
BeGentleWithMe-INeedHelpAsked:
Who is Participating?
 
Cliff GaliherConnect With a Mentor Commented:
Is whole thing is being blown out of perspective. Is there a lot of software that. Ends admin privileges? No. Quickbooks doesn't. Not since 2009 (and in QB numbering, that is three full years old now.) Office hasnt. adobe suite hasn't. OpenOffice hasn't. Firefox, chrome, ie, java, flash, reader. ALL the major vendors supported limited users and have for years.QB was one of the last. Now there are minor players, but usually you can make them work with permissions changes, as others have stated.and the few that can't? Time to shop for new software from a competitor.

The truth is limit accounts have been around for years. The next big fight will be 64-bit support. 2008 r2 is 64-bit only. MS will put an end to 32-bit on the desktop eventually as well. If your vendor can't support limited user accounts, introduced in their current form with windows 2000, or 11 years old, how long do you think it'll take them to support 64-bits?

Inn short, MS can only support backwards compatibility for so long. Any vendor that demonstrates dragging their feet SHOULD be replaced. This is in no way MSs fault. Not even a little. And, to circle around to the first point, you aren't replacing most of your apps. Or even some. MAYBE one. It really is that rare these days that software blatantly requires admin privs.

Patching software is an entirely different conversation though. And one we probably don't need to have today in detail. Patching requires admin privileges (rightfully so.) the admin should ALWAYS know both WHAT is going on a box and WHEN it goes on there. If a flash patch breaks a site that users must access for work purposes regularly, you don't want them patching. And if they can patch themselves, you start getting rents of issues you cannot reproduce because you aren't aware that they patched flash.

Or conversely, a virus exploits an older version of adobe reader, that adobe released a fix for two weeks ago, but the user hits "remind me later" every morning because installing the patch would interfere with their morning routine of reading dilbert online with their cup of coffee, and then they forget and don't patch at the end of the day and...drumroll...they get infected because you left it up to end users to patch themselves.

No, patch management is an admin duty.it should be centralized, enforced, monitored, and tightly controlled.

There's no good reason for end users to be local admins in 2011.

-Cliff
0
 
Scott CraigConnect With a Mentor WebmasterCommented:
The problem with making them local admins is that they can install whatever they want, change whatever they want, etc.  Making them restricted users helps prevent certain mishaps.  Yes, it takes more time on the IT person's part, but I think the risk of leaving a non-IT user as an admin is far more time consuming than doing updates yourself.
0
 
mcsweenConnect With a Mentor Sr. Network AdministratorCommented:
I prefer not to add users as Admin ever if I can help it.  Older apps that don't "work" without Admin usually have to do with folder permissions.  Make sure they install to the Program Files folder and not the root of C and set the NTFS permissions on the folder to allow the users you want to read and write.

The exception to this is when programs want to write to the HKLM portion of the Registry.  In this scenario it is tough to get the apps to run as a regular user without modifying a lot of Registry permissions.
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
Run5kCommented:
Personally, I think you would be creating more problems than you would solve by giving end-users full admin privileges on their Windows machines.  Even if you implemented a comprehensive set of group policies, they could still do things to the operating system that would typically generate more phone calls to the IT support staff than elevating their privileges would eliminate.

While it would be a bit less problematic on a Windows 7 machine thanks to various security enhancements like UAC, on a Windows XP machine it could quickly turn into a nightmare.  Allowing end-users to access the Internet on a WinXP computer with a profile that has admin rights is simply an accident waiting to happen.  A malware/virus problem is inevitable.

Regarding application updates like Java or Flash, depending upon the size of the network you can update those manually and turn off the nags, or on a larger network you can implement a WSUS server solution to update them automatically.

For applications like QuickBooks, if something genuinely requires admin rights it sounds like it's time to upgrade the application, rather than compromise good security posture.
0
 
Tony GiangrecoCommented:
I've found that many database apps running in my client's networks required the User Access Controls be turned off and they be added tot he Local admin group. Being an admin myself, I prefer not to do this, but I have found the vendors won't provide app assistance unless this access provided. It's a  Catch 22.
0
 
☠ MASQ ☠Commented:
If the software doesn't run in a limited account it's the wrong software or you're not getting the right support. Giving users local admin rights just because the program doesn't seem to behave is usually bad news.  I tend to stick to The 10 Immutable Laws of Security on this :)
0
 
BeGentleWithMe-INeedHelpAuthor Commented:
Run5K - thanks... yes, I agree in theoriy to not make them local admins.... but then there's reality -  what do you say about what TG says, as it was with QB  for a loooong time - they have to be local admins.  sure QB is fixed.  but there other apps that aren't.
0
 
☠ MASQ ☠Commented:
Either the provider can tell you which parts of the registry or file system need admin access or you can work it out with something like Procmon and then set the rights to just those locations.
0
 
Run5kCommented:
BeGentleWithMe-INeedHelp, I would essentially say the same thing that Masqueraid emphasized:  if the software allegedly needs for the user to possess admin rights in order to run properly, it's either the wrong version or the vendor is way behind the power curve.

The security and stability of the network is of utmost importance, and granting end-users admin privileges on their Windows operating system compromises both of those principles.  In my corner of the world, our reality consists of supporting three different networks, the largest having over 10,000 Windows 7 workstations with over 13,000 end-users.  Despite the sheer size, scope, and diversity of the software in our environment, absolutely none of those end-users have admin rights.  To be honest, I'm not entirely comfortable with one or two members of the IT support staff who have admin rights!  ;-)
0
 
Tony GiangrecoCommented:
Hi Masquraid,

I agree with your thoughts in theory, but listing to the author's QB situation, If he doesn't want to make the users a local admin as QB requires, QB just stops supporting him. They are so big, they don't need one customer. They will say, make him/her a local admin or we won't support you. At this point, the Author is on the loosing end.
0
 
☠ MASQ ☠Commented:
How about a GPO?
http://msmvps.com/cfs-filesystemfile.ashx/__key/CommunityServer.Components.PostAttachments/00.01.61.89.66/How-to-allow-Quickbooks-to-run-as-a-non-administrator.pdf

QB Has such a large user base that they seem to be able to address this better than the provider!
0
 
BeGentleWithMe-INeedHelpAuthor Commented:
masq: thanks, but QB was just a general example I was thinking - that yes, it would be great to NOT make users local admins, but the futility of that because so much legitimate things needs / wants local admin rights
0
 
BeGentleWithMe-INeedHelpAuthor Commented:
And am I the only one - something as common as qb takes 28 pages to tell you how to run it safely? Isn't that a crime that qb / microsoft gets away with that for how long?  I blame MS for the OS that is so big and overkill it takes 28 pages and QB because they didn't want to write the app right in the first place.
0
 
☠ MASQ ☠Connect With a Mentor Commented:
It's a lot shorter without the pictures :)

But I take your point,  still it can be done but unless end users insist on packages that are either correctly written in the first place or don't configure the correct security "out of the box" then programmers will continue to get away with telling you to simply give your users rights to change what they like on their PCs

<MASQ ducks!>
0
 
Run5kConnect With a Mentor Commented:
"so much legitimate things needs / wants local admin rights" - BeGentleWithMe-INeedHelp

As both Masqueraid and I have said, that is really on the software vendors.  The post-WinXP security era began with Vista over five years ago.  After all that time, if they still haven't updated their software to be compliant, I'm not sure if they truly deserve to be called legitmate.  Like I said earlier, our largest domain has thousands of users with several hundred different applications available, and none of them need admin rights to work properly.  It can be done.

"I blame MS for the OS that is so big and overkill" - BeGentleWithMe-INeedHelp

Microsoft has designed a terrific operating system with Windows 7!  The fact of the matter is that they needed to drastically improve Windows security because of all the cyber threats out there.  Windows XP almost never had any compatibility issues because it would essentially allow any application or driver to have free reign within the operating system, and while that makes like much easier for the software vendors it is also a huge security vulnerability.

Once again, the Vista/Win7 era of secure operating systems has been in existence for over five years.  There really is no excuse for software to still not be compliant.
0
 
Run5kCommented:
Well said Cliff, but I do find it interesting that your first sentence states the "whole thing is being blown out of perspective," but then you proceed to write the longest post in the entire discussion!  ;-)
0
 
Cliff GaliherCommented:
Sometimes reintroducing sanity requires a long explanation to help reign in the more outlandish elements.
0
 
Run5kCommented:
There's nothing wrong with that, Cliff.  It was just a bit ironic, especially when you managed to say "In short" a one point, too!  ;-)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.