Securing a desktop by removing local admin rights

Posted on 2014-03-03
Last Modified: 2014-03-11

Is there a better/novell way to secure desktops against unwanted/unlicensed software deployments and mitigating risks from zero day attacks than removing domain user accounts from local admin groups in a domain connected environment of Windows 2008 AD and Windows 7 / 8 workstations?

Consider that enterprise grade antimalware on workstations is maintained and access to downloads is blocked at the perimeter web gateway. SCCM 2012 is largely used for remote desktop support.

Users domain accounts are added into the local admin group due to various opertaional reasons which are avoidable though but effort intensive.
Question by:fahim
  • 3
  • 2
  • 2
LVL 21

Expert Comment

ID: 39900534
It is common practice in enterprise environments to remove all admin rights for users.  It is the basis for the security policy of most companies that take security serious.

It does mean that you need a tool like Microsoft system center to provide software deployment, security updates ... to reduce the effort for the IT department to manage the workstations.

Author Comment

ID: 39900574
Robocat...How about deploying things like application whitelisting using mcAfee or Bit9 products? or using the likes of BeyondTrust or Avecto etc for restricted previlege escalation to guard against most common Zero day algorithms that thrive on Autoruns and logged on previleges?
LVL 21

Assisted Solution

robocat earned 100 total points
ID: 39900736
Don't underestimate the effort for maintaining whitelisting solutions. And solutions like McAfee HIPS can have an impact on system performance.

I can not comment on the other solutions you mention.

Removing admin rights also has benefits beyond security. It allows you to keep track of software installations and make sure all software is legally licensed. Etc...
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

LVL 26

Assisted Solution

skullnobrains earned 400 total points
ID: 39901846
even removing admin rights will not prevent a user from installing unnwanted/unlicenced software. many software that do not require registry access for their operations are usable from a pen drive or can be installed by simply extracting an archive in a directory

Author Comment

ID: 39902569
Interesting viewpoints!

The dilemma is, if I have to initiate something that can be classified as a 'secure desktop build', what would be my 'must to have' as a process in an enterprise grade environment?

1. Antivirus updates
2. patch management
3. Managed USB/CD access ( can't keep it blocked for always)
LVL 21

Expert Comment

ID: 39902670
You always need to balance security and user requirements, so it really depends what kind of company you work for.

E.g. you could block USB, but in an average company this is probably overkill and would be considered unacceptable by the users.

What do we consider bare minimum for an average enterprise environment?

- no admin rights
- centrally managed anti virus / anti-malware + reporting
- centrally managed patch management + reporting

Patch management must not only include OS patches but also application patching. Enterprise anti-virus and patch management will enable you to do this from a central console and keep an eye on any anomalies.

From there you can add more security depending on your needs, such as applocker, Network Access control (NAC), ... The possibilities are almost endless.
LVL 26

Accepted Solution

skullnobrains earned 400 total points
ID: 39906133
if you want to focus on unwanted applications, you may turn to software whitelisting : it is easier and more efficient to maintain a list of software that is allowed to run on a machine rather than attempting to prevent users from getting the software.

using the windows builtin "software restriction policies", you can achieve something decent.

personnal firewalls can do the same and are better featured (can determine which user can run what software, additionally control network access, dll loading, maintain checksums of files) but maintaining a proper ruleset on a group of machines may be quite a headache.


managed usb/cd access is probably not feasible. if you could block all cd access, you probably would... and this would be useless until the users, also have no internet, no mail... or rather no network connection and no keyboard


patch management is great, but rather useless unless you can properly determine which patch is useful and which is not, and act accordingly

remember that
- proper security is achieved when even if a software is breached, it does not have many more consequences that crashing it
- software that issue security patches every week are not necessarily more secure that software that do not. if a problematic vulnerability is found in a software once a month, it is safer to move away from that sofware than to upgrade it on a daily basis
- on windows machines, not using internet explorer, nor outlook, have a proper and updated antivirus + some app that performs checksum checks on dlls and executables + something that implement control over which user can launch which app, and which applicative component can be launched by another is a good start


... then when you think of a 'secure desktop build', two things come to mind

- it is probably MUCH easier to secure a desktop accessible through terminal services or equivalent
- using windows is probably not the best bet it you expect to meet such a requirement


start by asking yourself
- what are the things i have to work with (ex : windows, usb keyboards, specific software such as lotus notes or your internal CRM which you cannot expect to change)
- what are my user needs (email access, offline work, file sharing ...)
- should i expect my users to voluntarily try to bypass the securities ? in which case ? how good at it can i expect them to be ?

include any related information such as the need for computers to be able to be used both at home and inside the company, the fact that your company wishes you users to be able to browse the web for personal use at noon or all day long... whatever comes to mind along these lines)

when you have a list, it is easier to devise something. feel free to post one here, we may have a few ideas

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now