Go Premium for a chance to win a PS4. Enter to Win


Securing a desktop by removing local admin rights

Posted on 2014-03-03
Medium Priority
Last Modified: 2014-03-11

Is there a better/novell way to secure desktops against unwanted/unlicensed software deployments and mitigating risks from zero day attacks than removing domain user accounts from local admin groups in a domain connected environment of Windows 2008 AD and Windows 7 / 8 workstations?

Consider that enterprise grade antimalware on workstations is maintained and access to downloads is blocked at the perimeter web gateway. SCCM 2012 is largely used for remote desktop support.

Users domain accounts are added into the local admin group due to various opertaional reasons which are avoidable though but effort intensive.
Question by:fahim
  • 3
  • 2
  • 2
LVL 22

Expert Comment

ID: 39900534
It is common practice in enterprise environments to remove all admin rights for users.  It is the basis for the security policy of most companies that take security serious.

It does mean that you need a tool like Microsoft system center to provide software deployment, security updates ... to reduce the effort for the IT department to manage the workstations.

Author Comment

ID: 39900574
Robocat...How about deploying things like application whitelisting using mcAfee or Bit9 products? or using the likes of BeyondTrust or Avecto etc for restricted previlege escalation to guard against most common Zero day algorithms that thrive on Autoruns and logged on previleges?
LVL 22

Assisted Solution

robocat earned 400 total points
ID: 39900736
Don't underestimate the effort for maintaining whitelisting solutions. And solutions like McAfee HIPS can have an impact on system performance.

I can not comment on the other solutions you mention.

Removing admin rights also has benefits beyond security. It allows you to keep track of software installations and make sure all software is legally licensed. Etc...
Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

LVL 27

Assisted Solution

skullnobrains earned 1600 total points
ID: 39901846
even removing admin rights will not prevent a user from installing unnwanted/unlicenced software. many software that do not require registry access for their operations are usable from a pen drive or can be installed by simply extracting an archive in a directory

Author Comment

ID: 39902569
Interesting viewpoints!

The dilemma is, if I have to initiate something that can be classified as a 'secure desktop build', what would be my 'must to have' as a process in an enterprise grade environment?

1. Antivirus updates
2. patch management
3. Managed USB/CD access ( can't keep it blocked for always)
LVL 22

Expert Comment

ID: 39902670
You always need to balance security and user requirements, so it really depends what kind of company you work for.

E.g. you could block USB, but in an average company this is probably overkill and would be considered unacceptable by the users.

What do we consider bare minimum for an average enterprise environment?

- no admin rights
- centrally managed anti virus / anti-malware + reporting
- centrally managed patch management + reporting

Patch management must not only include OS patches but also application patching. Enterprise anti-virus and patch management will enable you to do this from a central console and keep an eye on any anomalies.

From there you can add more security depending on your needs, such as applocker, Network Access control (NAC), ... The possibilities are almost endless.
LVL 27

Accepted Solution

skullnobrains earned 1600 total points
ID: 39906133
if you want to focus on unwanted applications, you may turn to software whitelisting : it is easier and more efficient to maintain a list of software that is allowed to run on a machine rather than attempting to prevent users from getting the software.

using the windows builtin "software restriction policies", you can achieve something decent.

personnal firewalls can do the same and are better featured (can determine which user can run what software, additionally control network access, dll loading, maintain checksums of files) but maintaining a proper ruleset on a group of machines may be quite a headache.


managed usb/cd access is probably not feasible. if you could block all cd access, you probably would... and this would be useless until the users, also have no internet, no mail... or rather no network connection and no keyboard


patch management is great, but rather useless unless you can properly determine which patch is useful and which is not, and act accordingly

remember that
- proper security is achieved when even if a software is breached, it does not have many more consequences that crashing it
- software that issue security patches every week are not necessarily more secure that software that do not. if a problematic vulnerability is found in a software once a month, it is safer to move away from that sofware than to upgrade it on a daily basis
- on windows machines, not using internet explorer, nor outlook, have a proper and updated antivirus + some app that performs checksum checks on dlls and executables + something that implement control over which user can launch which app, and which applicative component can be launched by another is a good start


... then when you think of a 'secure desktop build', two things come to mind

- it is probably MUCH easier to secure a desktop accessible through terminal services or equivalent
- using windows is probably not the best bet it you expect to meet such a requirement


start by asking yourself
- what are the things i have to work with (ex : windows, usb keyboards, specific software such as lotus notes or your internal CRM which you cannot expect to change)
- what are my user needs (email access, offline work, file sharing ...)
- should i expect my users to voluntarily try to bypass the securities ? in which case ? how good at it can i expect them to be ?

include any related information such as the need for computers to be able to be used both at home and inside the company, the fact that your company wishes you users to be able to browse the web for personal use at noon or all day long... whatever comes to mind along these lines)

when you have a list, it is easier to devise something. feel free to post one here, we may have a few ideas

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question