Securing a desktop by removing local admin rights

Posted on 2014-03-03
Last Modified: 2014-03-11

Is there a better/novell way to secure desktops against unwanted/unlicensed software deployments and mitigating risks from zero day attacks than removing domain user accounts from local admin groups in a domain connected environment of Windows 2008 AD and Windows 7 / 8 workstations?

Consider that enterprise grade antimalware on workstations is maintained and access to downloads is blocked at the perimeter web gateway. SCCM 2012 is largely used for remote desktop support.

Users domain accounts are added into the local admin group due to various opertaional reasons which are avoidable though but effort intensive.
Question by:fahim
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
LVL 22

Expert Comment

ID: 39900534
It is common practice in enterprise environments to remove all admin rights for users.  It is the basis for the security policy of most companies that take security serious.

It does mean that you need a tool like Microsoft system center to provide software deployment, security updates ... to reduce the effort for the IT department to manage the workstations.

Author Comment

ID: 39900574
Robocat...How about deploying things like application whitelisting using mcAfee or Bit9 products? or using the likes of BeyondTrust or Avecto etc for restricted previlege escalation to guard against most common Zero day algorithms that thrive on Autoruns and logged on previleges?
LVL 22

Assisted Solution

robocat earned 100 total points
ID: 39900736
Don't underestimate the effort for maintaining whitelisting solutions. And solutions like McAfee HIPS can have an impact on system performance.

I can not comment on the other solutions you mention.

Removing admin rights also has benefits beyond security. It allows you to keep track of software installations and make sure all software is legally licensed. Etc...
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

LVL 27

Assisted Solution

skullnobrains earned 400 total points
ID: 39901846
even removing admin rights will not prevent a user from installing unnwanted/unlicenced software. many software that do not require registry access for their operations are usable from a pen drive or can be installed by simply extracting an archive in a directory

Author Comment

ID: 39902569
Interesting viewpoints!

The dilemma is, if I have to initiate something that can be classified as a 'secure desktop build', what would be my 'must to have' as a process in an enterprise grade environment?

1. Antivirus updates
2. patch management
3. Managed USB/CD access ( can't keep it blocked for always)
LVL 22

Expert Comment

ID: 39902670
You always need to balance security and user requirements, so it really depends what kind of company you work for.

E.g. you could block USB, but in an average company this is probably overkill and would be considered unacceptable by the users.

What do we consider bare minimum for an average enterprise environment?

- no admin rights
- centrally managed anti virus / anti-malware + reporting
- centrally managed patch management + reporting

Patch management must not only include OS patches but also application patching. Enterprise anti-virus and patch management will enable you to do this from a central console and keep an eye on any anomalies.

From there you can add more security depending on your needs, such as applocker, Network Access control (NAC), ... The possibilities are almost endless.
LVL 27

Accepted Solution

skullnobrains earned 400 total points
ID: 39906133
if you want to focus on unwanted applications, you may turn to software whitelisting : it is easier and more efficient to maintain a list of software that is allowed to run on a machine rather than attempting to prevent users from getting the software.

using the windows builtin "software restriction policies", you can achieve something decent.

personnal firewalls can do the same and are better featured (can determine which user can run what software, additionally control network access, dll loading, maintain checksums of files) but maintaining a proper ruleset on a group of machines may be quite a headache.


managed usb/cd access is probably not feasible. if you could block all cd access, you probably would... and this would be useless until the users, also have no internet, no mail... or rather no network connection and no keyboard


patch management is great, but rather useless unless you can properly determine which patch is useful and which is not, and act accordingly

remember that
- proper security is achieved when even if a software is breached, it does not have many more consequences that crashing it
- software that issue security patches every week are not necessarily more secure that software that do not. if a problematic vulnerability is found in a software once a month, it is safer to move away from that sofware than to upgrade it on a daily basis
- on windows machines, not using internet explorer, nor outlook, have a proper and updated antivirus + some app that performs checksum checks on dlls and executables + something that implement control over which user can launch which app, and which applicative component can be launched by another is a good start


... then when you think of a 'secure desktop build', two things come to mind

- it is probably MUCH easier to secure a desktop accessible through terminal services or equivalent
- using windows is probably not the best bet it you expect to meet such a requirement


start by asking yourself
- what are the things i have to work with (ex : windows, usb keyboards, specific software such as lotus notes or your internal CRM which you cannot expect to change)
- what are my user needs (email access, offline work, file sharing ...)
- should i expect my users to voluntarily try to bypass the securities ? in which case ? how good at it can i expect them to be ?

include any related information such as the need for computers to be able to be used both at home and inside the company, the fact that your company wishes you users to be able to browse the web for personal use at noon or all day long... whatever comes to mind along these lines)

when you have a list, it is easier to devise something. feel free to post one here, we may have a few ideas

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Part One of the two-part Q&A series with MalwareTech.
This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question