Solved

Laptops are not locked down (hardened) allowing administrator rights

Posted on 2013-01-18
7
306 Views
Last Modified: 2013-01-22
Potential client did a quick audit in order to host their data and reported the following:
Laptops are not locked down (hardened) allowing administrator rights

I wonder what risk do you suppose this one is attempting to solve? Any interim solution we can employ using Group Policies?
0
Comment
Question by:Tiras25
7 Comments
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 167 total points
Comment Utility
If any user except certified administrator are assigned standard user rights and UAC is properly turned on, then the machines are locked down.

You are implying users have admin rights. Is this true?

... Thinkpads_User
0
 
LVL 18

Assisted Solution

by:Andrej Pirman
Andrej Pirman earned 83 total points
Comment Utility
Most probably he/she refers to normal domain users have full LOCAL administrative rights on each computer. As you probably know, this opens many doors to unwanted and potentially dangerous software, which can get installed and may modify local computer.

My choice in domain envoronment is to have local users with just "user" rights, even on local computers.

You can alter this privilege via "Restricted groups" feature of GPO:
http://www.frickelsoft.net/blog/?p=13
0
 
LVL 17

Author Comment

by:Tiras25
Comment Utility
Right.   I wonder what risk do you suppose this one is attempting to solve?  and any interim solution we can employ using Group Policies?
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 167 total points
Comment Utility
When you say "Right" you mean users have admin rights?  I think that is what you mean and users should never have admin rights. So then just remove admin rights and make sure UAC is on.

Users with admin rights can and do cause all kinds of mayhem.

... Thinkpads_User
0
 
LVL 4

Assisted Solution

by:Haslerct
Haslerct earned 83 total points
Comment Utility
Remove the user from the local administrators group and this can be done thru GPO "restricted group"
http://www.windowsecurity.com/articles/using-restricted-groups.html

Risk of having an user with local admins rights:
1. More high possibility of virus infection as the user have admins right of their laptop, means if he/she accidentally access to malware website, the malware can modify any setting on the laptop as the user session have admins rights.

2. Harder to control illegal software/unauthorised software installation. As user have admins rights on their laptop.

3. Tend to have more BAU support case, as user might accidentally change config and cause error.
0
 
LVL 3

Assisted Solution

by:suribaba801
suribaba801 earned 83 total points
Comment Utility
Take a look at this link it is describing most of locking down setting with gpo... Let me know what u think
http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/4932903f-3582-4aa5-b979-30a10db5c7bd/
0
 
LVL 53

Accepted Solution

by:
McKnife earned 84 total points
Comment Utility
Hi.

> Laptops are not locked down (hardened) allowing administrator rights
What should that mean in detail? Please, if you need advice, the basics should be clear to all.

"Locked down" is usually used to describe different technical, non-default measures for various purposes, mainly security improvements. But: the default would be that users are in the users group, so there would be no lockdown needed here...that's why I guess he's talking about something different, but what?

Please clarify.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now