Solved

Laptops are not locked down (hardened) allowing administrator rights

Posted on 2013-01-18
7
314 Views
Last Modified: 2013-01-22
Potential client did a quick audit in order to host their data and reported the following:
Laptops are not locked down (hardened) allowing administrator rights

I wonder what risk do you suppose this one is attempting to solve? Any interim solution we can employ using Group Policies?
0
Comment
Question by:Tiras25
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 94

Assisted Solution

by:John Hurst
John Hurst earned 167 total points
ID: 38795338
If any user except certified administrator are assigned standard user rights and UAC is properly turned on, then the machines are locked down.

You are implying users have admin rights. Is this true?

... Thinkpads_User
0
 
LVL 18

Assisted Solution

by:Andrej Pirman
Andrej Pirman earned 83 total points
ID: 38795344
Most probably he/she refers to normal domain users have full LOCAL administrative rights on each computer. As you probably know, this opens many doors to unwanted and potentially dangerous software, which can get installed and may modify local computer.

My choice in domain envoronment is to have local users with just "user" rights, even on local computers.

You can alter this privilege via "Restricted groups" feature of GPO:
http://www.frickelsoft.net/blog/?p=13
0
 
LVL 17

Author Comment

by:Tiras25
ID: 38795345
Right.   I wonder what risk do you suppose this one is attempting to solve?  and any interim solution we can employ using Group Policies?
0
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

 
LVL 94

Assisted Solution

by:John Hurst
John Hurst earned 167 total points
ID: 38795351
When you say "Right" you mean users have admin rights?  I think that is what you mean and users should never have admin rights. So then just remove admin rights and make sure UAC is on.

Users with admin rights can and do cause all kinds of mayhem.

... Thinkpads_User
0
 
LVL 4

Assisted Solution

by:Haslerct
Haslerct earned 83 total points
ID: 38795599
Remove the user from the local administrators group and this can be done thru GPO "restricted group"
http://www.windowsecurity.com/articles/using-restricted-groups.html

Risk of having an user with local admins rights:
1. More high possibility of virus infection as the user have admins right of their laptop, means if he/she accidentally access to malware website, the malware can modify any setting on the laptop as the user session have admins rights.

2. Harder to control illegal software/unauthorised software installation. As user have admins rights on their laptop.

3. Tend to have more BAU support case, as user might accidentally change config and cause error.
0
 
LVL 3

Assisted Solution

by:suribaba801
suribaba801 earned 83 total points
ID: 38795972
Take a look at this link it is describing most of locking down setting with gpo... Let me know what u think
http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/4932903f-3582-4aa5-b979-30a10db5c7bd/
0
 
LVL 54

Accepted Solution

by:
McKnife earned 84 total points
ID: 38799310
Hi.

> Laptops are not locked down (hardened) allowing administrator rights
What should that mean in detail? Please, if you need advice, the basics should be clear to all.

"Locked down" is usually used to describe different technical, non-default measures for various purposes, mainly security improvements. But: the default would be that users are in the users group, so there would be no lockdown needed here...that's why I guess he's talking about something different, but what?

Please clarify.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
HP Stream laptop logging in issue 15 57
Lost FireFox Bookmarks 6 42
SMB Signing issues 5 29
How to remove duplicates eficiently without sorting 5 31
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
While working, an annoying popup showing below will come and we cannot cancel or close it form the screen. The error message will come again and again.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question