Laptops are not locked down (hardened) allowing administrator rights

Potential client did a quick audit in order to host their data and reported the following:
Laptops are not locked down (hardened) allowing administrator rights

I wonder what risk do you suppose this one is attempting to solve? Any interim solution we can employ using Group Policies?
LVL 17
Tiras25Asked:
Who is Participating?
 
McKnifeCommented:
Hi.

> Laptops are not locked down (hardened) allowing administrator rights
What should that mean in detail? Please, if you need advice, the basics should be clear to all.

"Locked down" is usually used to describe different technical, non-default measures for various purposes, mainly security improvements. But: the default would be that users are in the users group, so there would be no lockdown needed here...that's why I guess he's talking about something different, but what?

Please clarify.
0
 
JohnBusiness Consultant (Owner)Commented:
If any user except certified administrator are assigned standard user rights and UAC is properly turned on, then the machines are locked down.

You are implying users have admin rights. Is this true?

... Thinkpads_User
0
 
Andrej PirmanCommented:
Most probably he/she refers to normal domain users have full LOCAL administrative rights on each computer. As you probably know, this opens many doors to unwanted and potentially dangerous software, which can get installed and may modify local computer.

My choice in domain envoronment is to have local users with just "user" rights, even on local computers.

You can alter this privilege via "Restricted groups" feature of GPO:
http://www.frickelsoft.net/blog/?p=13
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
Tiras25Author Commented:
Right.   I wonder what risk do you suppose this one is attempting to solve?  and any interim solution we can employ using Group Policies?
0
 
JohnBusiness Consultant (Owner)Commented:
When you say "Right" you mean users have admin rights?  I think that is what you mean and users should never have admin rights. So then just remove admin rights and make sure UAC is on.

Users with admin rights can and do cause all kinds of mayhem.

... Thinkpads_User
0
 
HaslerctCommented:
Remove the user from the local administrators group and this can be done thru GPO "restricted group"
http://www.windowsecurity.com/articles/using-restricted-groups.html

Risk of having an user with local admins rights:
1. More high possibility of virus infection as the user have admins right of their laptop, means if he/she accidentally access to malware website, the malware can modify any setting on the laptop as the user session have admins rights.

2. Harder to control illegal software/unauthorised software installation. As user have admins rights on their laptop.

3. Tend to have more BAU support case, as user might accidentally change config and cause error.
0
 
suribaba801Commented:
Take a look at this link it is describing most of locking down setting with gpo... Let me know what u think
http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/4932903f-3582-4aa5-b979-30a10db5c7bd/
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.