Securing a desktop by removing local admin rights

Swift used Ask the Experts™

Is there a better/novell way to secure desktops against unwanted/unlicensed software deployments and mitigating risks from zero day attacks than removing domain user accounts from local admin groups in a domain connected environment of Windows 2008 AD and Windows 7 / 8 workstations?

Consider that enterprise grade antimalware on workstations is maintained and access to downloads is blocked at the perimeter web gateway. SCCM 2012 is largely used for remote desktop support.

Users domain accounts are added into the local admin group due to various opertaional reasons which are avoidable though but effort intensive.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
It is common practice in enterprise environments to remove all admin rights for users.  It is the basis for the security policy of most companies that take security serious.

It does mean that you need a tool like Microsoft system center to provide software deployment, security updates ... to reduce the effort for the IT department to manage the workstations.


Robocat...How about deploying things like application whitelisting using mcAfee or Bit9 products? or using the likes of BeyondTrust or Avecto etc for restricted previlege escalation to guard against most common Zero day algorithms that thrive on Autoruns and logged on previleges?
Don't underestimate the effort for maintaining whitelisting solutions. And solutions like McAfee HIPS can have an impact on system performance.

I can not comment on the other solutions you mention.

Removing admin rights also has benefits beyond security. It allows you to keep track of software installations and make sure all software is legally licensed. Etc...
OWASP: Threats Fundamentals

Learn the top ten threats that are present in modern web-application development and how to protect your business from them.

even removing admin rights will not prevent a user from installing unnwanted/unlicenced software. many software that do not require registry access for their operations are usable from a pen drive or can be installed by simply extracting an archive in a directory


Interesting viewpoints!

The dilemma is, if I have to initiate something that can be classified as a 'secure desktop build', what would be my 'must to have' as a process in an enterprise grade environment?

1. Antivirus updates
2. patch management
3. Managed USB/CD access ( can't keep it blocked for always)
You always need to balance security and user requirements, so it really depends what kind of company you work for.

E.g. you could block USB, but in an average company this is probably overkill and would be considered unacceptable by the users.

What do we consider bare minimum for an average enterprise environment?

- no admin rights
- centrally managed anti virus / anti-malware + reporting
- centrally managed patch management + reporting

Patch management must not only include OS patches but also application patching. Enterprise anti-virus and patch management will enable you to do this from a central console and keep an eye on any anomalies.

From there you can add more security depending on your needs, such as applocker, Network Access control (NAC), ... The possibilities are almost endless.
if you want to focus on unwanted applications, you may turn to software whitelisting : it is easier and more efficient to maintain a list of software that is allowed to run on a machine rather than attempting to prevent users from getting the software.

using the windows builtin "software restriction policies", you can achieve something decent.

personnal firewalls can do the same and are better featured (can determine which user can run what software, additionally control network access, dll loading, maintain checksums of files) but maintaining a proper ruleset on a group of machines may be quite a headache.


managed usb/cd access is probably not feasible. if you could block all cd access, you probably would... and this would be useless until the users, also have no internet, no mail... or rather no network connection and no keyboard


patch management is great, but rather useless unless you can properly determine which patch is useful and which is not, and act accordingly

remember that
- proper security is achieved when even if a software is breached, it does not have many more consequences that crashing it
- software that issue security patches every week are not necessarily more secure that software that do not. if a problematic vulnerability is found in a software once a month, it is safer to move away from that sofware than to upgrade it on a daily basis
- on windows machines, not using internet explorer, nor outlook, have a proper and updated antivirus + some app that performs checksum checks on dlls and executables + something that implement control over which user can launch which app, and which applicative component can be launched by another is a good start


... then when you think of a 'secure desktop build', two things come to mind

- it is probably MUCH easier to secure a desktop accessible through terminal services or equivalent
- using windows is probably not the best bet it you expect to meet such a requirement


start by asking yourself
- what are the things i have to work with (ex : windows, usb keyboards, specific software such as lotus notes or your internal CRM which you cannot expect to change)
- what are my user needs (email access, offline work, file sharing ...)
- should i expect my users to voluntarily try to bypass the securities ? in which case ? how good at it can i expect them to be ?

include any related information such as the need for computers to be able to be used both at home and inside the company, the fact that your company wishes you users to be able to browse the web for personal use at noon or all day long... whatever comes to mind along these lines)

when you have a list, it is easier to devise something. feel free to post one here, we may have a few ideas

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial