[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 328
  • Last Modified:

Laptops are not locked down (hardened) allowing administrator rights

Potential client did a quick audit in order to host their data and reported the following:
Laptops are not locked down (hardened) allowing administrator rights

I wonder what risk do you suppose this one is attempting to solve? Any interim solution we can employ using Group Policies?
0
Tiras25
Asked:
Tiras25
6 Solutions
 
John HurstBusiness Consultant (Owner)Commented:
If any user except certified administrator are assigned standard user rights and UAC is properly turned on, then the machines are locked down.

You are implying users have admin rights. Is this true?

... Thinkpads_User
0
 
Andrej PirmanCommented:
Most probably he/she refers to normal domain users have full LOCAL administrative rights on each computer. As you probably know, this opens many doors to unwanted and potentially dangerous software, which can get installed and may modify local computer.

My choice in domain envoronment is to have local users with just "user" rights, even on local computers.

You can alter this privilege via "Restricted groups" feature of GPO:
http://www.frickelsoft.net/blog/?p=13
0
 
Tiras25Author Commented:
Right.   I wonder what risk do you suppose this one is attempting to solve?  and any interim solution we can employ using Group Policies?
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
John HurstBusiness Consultant (Owner)Commented:
When you say "Right" you mean users have admin rights?  I think that is what you mean and users should never have admin rights. So then just remove admin rights and make sure UAC is on.

Users with admin rights can and do cause all kinds of mayhem.

... Thinkpads_User
0
 
HaslerctCommented:
Remove the user from the local administrators group and this can be done thru GPO "restricted group"
http://www.windowsecurity.com/articles/using-restricted-groups.html

Risk of having an user with local admins rights:
1. More high possibility of virus infection as the user have admins right of their laptop, means if he/she accidentally access to malware website, the malware can modify any setting on the laptop as the user session have admins rights.

2. Harder to control illegal software/unauthorised software installation. As user have admins rights on their laptop.

3. Tend to have more BAU support case, as user might accidentally change config and cause error.
0
 
suribaba801Commented:
Take a look at this link it is describing most of locking down setting with gpo... Let me know what u think
http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/4932903f-3582-4aa5-b979-30a10db5c7bd/
0
 
McKnifeCommented:
Hi.

> Laptops are not locked down (hardened) allowing administrator rights
What should that mean in detail? Please, if you need advice, the basics should be clear to all.

"Locked down" is usually used to describe different technical, non-default measures for various purposes, mainly security improvements. But: the default would be that users are in the users group, so there would be no lockdown needed here...that's why I guess he's talking about something different, but what?

Please clarify.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now