Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Securing a desktop by removing local admin rights

Posted on 2014-03-03
Medium Priority
Last Modified: 2014-03-11

Is there a better/novell way to secure desktops against unwanted/unlicensed software deployments and mitigating risks from zero day attacks than removing domain user accounts from local admin groups in a domain connected environment of Windows 2008 AD and Windows 7 / 8 workstations?

Consider that enterprise grade antimalware on workstations is maintained and access to downloads is blocked at the perimeter web gateway. SCCM 2012 is largely used for remote desktop support.

Users domain accounts are added into the local admin group due to various opertaional reasons which are avoidable though but effort intensive.
Question by:fahim
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
LVL 22

Expert Comment

ID: 39900534
It is common practice in enterprise environments to remove all admin rights for users.  It is the basis for the security policy of most companies that take security serious.

It does mean that you need a tool like Microsoft system center to provide software deployment, security updates ... to reduce the effort for the IT department to manage the workstations.

Author Comment

ID: 39900574
Robocat...How about deploying things like application whitelisting using mcAfee or Bit9 products? or using the likes of BeyondTrust or Avecto etc for restricted previlege escalation to guard against most common Zero day algorithms that thrive on Autoruns and logged on previleges?
LVL 22

Assisted Solution

robocat earned 400 total points
ID: 39900736
Don't underestimate the effort for maintaining whitelisting solutions. And solutions like McAfee HIPS can have an impact on system performance.

I can not comment on the other solutions you mention.

Removing admin rights also has benefits beyond security. It allows you to keep track of software installations and make sure all software is legally licensed. Etc...
How Blockchain Is Impacting Every Industry

Blockchain expert Alex Tapscott talks to Acronis VP Frank Jablonski about this revolutionary technology and how it's making inroads into other industries and facets of everyday life.

LVL 27

Assisted Solution

skullnobrains earned 1600 total points
ID: 39901846
even removing admin rights will not prevent a user from installing unnwanted/unlicenced software. many software that do not require registry access for their operations are usable from a pen drive or can be installed by simply extracting an archive in a directory

Author Comment

ID: 39902569
Interesting viewpoints!

The dilemma is, if I have to initiate something that can be classified as a 'secure desktop build', what would be my 'must to have' as a process in an enterprise grade environment?

1. Antivirus updates
2. patch management
3. Managed USB/CD access ( can't keep it blocked for always)
LVL 22

Expert Comment

ID: 39902670
You always need to balance security and user requirements, so it really depends what kind of company you work for.

E.g. you could block USB, but in an average company this is probably overkill and would be considered unacceptable by the users.

What do we consider bare minimum for an average enterprise environment?

- no admin rights
- centrally managed anti virus / anti-malware + reporting
- centrally managed patch management + reporting

Patch management must not only include OS patches but also application patching. Enterprise anti-virus and patch management will enable you to do this from a central console and keep an eye on any anomalies.

From there you can add more security depending on your needs, such as applocker, Network Access control (NAC), ... The possibilities are almost endless.
LVL 27

Accepted Solution

skullnobrains earned 1600 total points
ID: 39906133
if you want to focus on unwanted applications, you may turn to software whitelisting : it is easier and more efficient to maintain a list of software that is allowed to run on a machine rather than attempting to prevent users from getting the software.

using the windows builtin "software restriction policies", you can achieve something decent.

personnal firewalls can do the same and are better featured (can determine which user can run what software, additionally control network access, dll loading, maintain checksums of files) but maintaining a proper ruleset on a group of machines may be quite a headache.


managed usb/cd access is probably not feasible. if you could block all cd access, you probably would... and this would be useless until the users, also have no internet, no mail... or rather no network connection and no keyboard


patch management is great, but rather useless unless you can properly determine which patch is useful and which is not, and act accordingly

remember that
- proper security is achieved when even if a software is breached, it does not have many more consequences that crashing it
- software that issue security patches every week are not necessarily more secure that software that do not. if a problematic vulnerability is found in a software once a month, it is safer to move away from that sofware than to upgrade it on a daily basis
- on windows machines, not using internet explorer, nor outlook, have a proper and updated antivirus + some app that performs checksum checks on dlls and executables + something that implement control over which user can launch which app, and which applicative component can be launched by another is a good start


... then when you think of a 'secure desktop build', two things come to mind

- it is probably MUCH easier to secure a desktop accessible through terminal services or equivalent
- using windows is probably not the best bet it you expect to meet such a requirement


start by asking yourself
- what are the things i have to work with (ex : windows, usb keyboards, specific software such as lotus notes or your internal CRM which you cannot expect to change)
- what are my user needs (email access, offline work, file sharing ...)
- should i expect my users to voluntarily try to bypass the securities ? in which case ? how good at it can i expect them to be ?

include any related information such as the need for computers to be able to be used both at home and inside the company, the fact that your company wishes you users to be able to browse the web for personal use at noon or all day long... whatever comes to mind along these lines)

when you have a list, it is easier to devise something. feel free to post one here, we may have a few ideas

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
Check out the latest tech news, community articles, and expert highlights in August's newsletter.
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question