Solved

Laptops are not locked down (hardened) allowing administrator rights

Posted on 2013-01-18
7
310 Views
Last Modified: 2013-01-22
Potential client did a quick audit in order to host their data and reported the following:
Laptops are not locked down (hardened) allowing administrator rights

I wonder what risk do you suppose this one is attempting to solve? Any interim solution we can employ using Group Policies?
0
Comment
Question by:Tiras25
7 Comments
 
LVL 92

Assisted Solution

by:John Hurst
John Hurst earned 167 total points
ID: 38795338
If any user except certified administrator are assigned standard user rights and UAC is properly turned on, then the machines are locked down.

You are implying users have admin rights. Is this true?

... Thinkpads_User
0
 
LVL 18

Assisted Solution

by:Andrej Pirman
Andrej Pirman earned 83 total points
ID: 38795344
Most probably he/she refers to normal domain users have full LOCAL administrative rights on each computer. As you probably know, this opens many doors to unwanted and potentially dangerous software, which can get installed and may modify local computer.

My choice in domain envoronment is to have local users with just "user" rights, even on local computers.

You can alter this privilege via "Restricted groups" feature of GPO:
http://www.frickelsoft.net/blog/?p=13
0
 
LVL 17

Author Comment

by:Tiras25
ID: 38795345
Right.   I wonder what risk do you suppose this one is attempting to solve?  and any interim solution we can employ using Group Policies?
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 92

Assisted Solution

by:John Hurst
John Hurst earned 167 total points
ID: 38795351
When you say "Right" you mean users have admin rights?  I think that is what you mean and users should never have admin rights. So then just remove admin rights and make sure UAC is on.

Users with admin rights can and do cause all kinds of mayhem.

... Thinkpads_User
0
 
LVL 4

Assisted Solution

by:Haslerct
Haslerct earned 83 total points
ID: 38795599
Remove the user from the local administrators group and this can be done thru GPO "restricted group"
http://www.windowsecurity.com/articles/using-restricted-groups.html

Risk of having an user with local admins rights:
1. More high possibility of virus infection as the user have admins right of their laptop, means if he/she accidentally access to malware website, the malware can modify any setting on the laptop as the user session have admins rights.

2. Harder to control illegal software/unauthorised software installation. As user have admins rights on their laptop.

3. Tend to have more BAU support case, as user might accidentally change config and cause error.
0
 
LVL 3

Assisted Solution

by:suribaba801
suribaba801 earned 83 total points
ID: 38795972
Take a look at this link it is describing most of locking down setting with gpo... Let me know what u think
http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/4932903f-3582-4aa5-b979-30a10db5c7bd/
0
 
LVL 54

Accepted Solution

by:
McKnife earned 84 total points
ID: 38799310
Hi.

> Laptops are not locked down (hardened) allowing administrator rights
What should that mean in detail? Please, if you need advice, the basics should be clear to all.

"Locked down" is usually used to describe different technical, non-default measures for various purposes, mainly security improvements. But: the default would be that users are in the users group, so there would be no lockdown needed here...that's why I guess he's talking about something different, but what?

Please clarify.
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Both MMF (multi-mode fiber) and SMF (single-mode fiber) are types of optical fiber that can aid in communication applications. These thin strands of silica or glass will allow communication to occur between devices. The transmission of light between…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question