Security for roaming profiles

Let's say in a given environment you have most users assigned roaming profiles and all users are in the local administrators group on the Windows 7 workstations.  If a member of management logs into a different workstation, the profile (including Documents, Pictures, etc) will be copied down from the server and stored on the local machine.  If a different random user logs into the same station, being a local administrator of the Windows 7 machine they could just go to C:\Users\ and browse through everyone's documents.  Is there a way to prevent this through group policy or something since the default permissions on c:\users allows for local admins to fully interact with all folders in c:\users?
LVL 1
Steve BantzIT ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
Local admins can undo or circumvent any security measure. There is no use in asking until you remove administrative permissions.
NinjaStyle82Systems AdministratorCommented:
Do this to delete the profile at log off.
https://support.microsoft.com/en-us/kb/274152

If you want to redirect certain thing like Documents etc you can do folder redirection on those locations:
https://technet.microsoft.com/en-us/library/jj649078.aspx
NinjaStyle82Systems AdministratorCommented:
I agree having them as local admins is not best practice, but to answer your question, the above should do it.
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

William FulksSystems Analyst & WebmasterCommented:
There's a group policy called "Add the Administrator security group to the roaming user profile share policy" (under HKLM\Software\Policies\Microsoft\Windows\System) that you can set which should keep them from getting into those profiles.

However, you will have to manually change the permissions for any existing profiles if the policy was not previously set. It doesn't go back and reset permissions for any pre-existing profiles saved in the Users folder.
NinjaStyle82Systems AdministratorCommented:
William's solution set to "Disabled" would work unless one user decided to change ownership of another's profile. They can theoretically still access it as a local admin on the PC.
William FulksSystems Analyst & WebmasterCommented:
True, someone could take ownership and still view the files, but then they'd have to grant the ownership back or else it'll jack up the profile. At least that way you'd know if somebody was accessing someone else's files.

I do agree that granting everyone local admin rights and then trying to limit those rights will just create headaches.
McKnifeCommented:
About deleting, Frank: Admins that knew about it would use undelete. If cipher.exe were used to safely overwrite, they'd come up with another way.

Useless, admins and security is not possible.
NinjaStyle82Systems AdministratorCommented:
About deleting, Frank: Admins that knew about it would use undelete. If cipher.exe were used to safely overwrite, they'd come up with another way.

That's a bit extreme for 99.999% of users.
McKnifeCommented:
Either we go and protect the best we can or we trust. If we trust, then why delete at all?
NinjaStyle82Systems AdministratorCommented:
Don't be ridiculous. You protect against your own users to a point.
NinjaStyle82Systems AdministratorCommented:
Furthermore, they obviously trust the users enough to make them local admins, but not enough to view each other's files... that's their point. 9/10 it is not up to the IT dept to make these calls.
McKnifeCommented:
Ok, that's a matter of opinion  I work in defense. This is a half baked measure in my eyes, that's all. I don't go and talk people out of it, especially not in a forum.
NinjaStyle82Systems AdministratorCommented:
It's not something i would personally do either. I just don't understand the desire to try to change a random organizations entire security practice based on a simple question on a forum.
Spike99On-Site IT TechnicianCommented:
I wouldn't have all users be local administrators, but if that can't be changed, You could avoid the issues caused by snooping by having user documents redirected to a network share rather than have them "roam" with the user.  

If My Documents, Pictures, etc. were redirected to a network folder that the user has exclusive rights to, then it wouldn't matter if other users have admin rights on the PC: they wouldn't be able to access the network folder where that manager's documents are stored.

It would also have the benefit of speeding logon times because users wouldn't have to wait for all of their files to be copied down to their local profile folder. This would also reduce traffic on the network & on the file server.  User's local profile folders would also be smaller.

You can use group policy to set up folder direction for key folders like documents, photos, favorites, etc.  I would recommend that the "home" folder for the user be separate from the roaming profile folder.

In my old job this is how we set it up:
We set up server shares like this:  \\Servername\home$ and \\servername\profiles$.
Then, on the profile tab in the user's account properties in Active Directory, we set their "home folder" path to drive letter "H" and this path:  \\servername\home$\username.
We also added their roaming profile path:  \\servername\profiles$\username

Then, we used group policy to redirect the users' Documents, Favorites, etc. to H:\Documents, H:\Favorites, etc.  you can also redirect the user's desktop folder, start menu, programs folder, etc.  We redirected all of that to tightly control which app icons each user was able to see.

You can set up folder redirection using group policy. This is one of many pages that can be found online to describe how to do that:
https://technet.microsoft.com/en-us/library/jj649078.aspx

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Steve BantzIT ManagerAuthor Commented:
After reading all of these suggestions (THANKS), I have come to the following solution.  As some background, the reason that people are admins of the local machine is that the mission critical piece of software used on every single machine requires admin access to perform updates to the software.

I am going to do a few things:
1. I am going to remove Domain Users from the Administrators group on the workstations using group policy.
2. I will create a Domain Global Group called Computer Administrators and use Group Policy to put this group in the Administrators group on the local machine.
3. When a scheduled update to the client software is to occur, I will put the users in the domain global group Computer Administrators so that when they log in the next morning and start the software, they will be admins.  In the afternoon or whenever I decide, I will remove the users from the global group Computer Admins.
4. Re-think my roaming users strategy and go more towards the folder redirection route.

As far as 1-3 go, is there a better way to do that?  The only problem I can see is that if every person doesn't log in and start the software THAT DAY and I remove them from the global group, the update to the software would fail.
McKnifeCommented:
Well, surely, that's an improvement, but no protection against whatever malicious intent.
If a computer is shared, giving admin rights to multiple users even temporarily is a sin. Imagine you will some day discover those users spy on each other, do identity theft, keylogging, stealing your domain admin password and all that - what would you do if management feels like investigating how this was possible?
Spike99On-Site IT TechnicianCommented:
Can the software updates be run as a scheduled task using encrypted credentials?  
Or. could the updates be pushed out to the PCs from central location using a tool like SCCM?
Steve BantzIT ManagerAuthor Commented:
I wonder if a better way to make a user a temp admin would be to create a GPO called Windows Administrators and then edit User Configuration\Preferences\Control Panel Settings\Local Users and Groups and then Update the Administrators group to add the current user.  Then, when everything is done just unlink the GPO.  Sound ok?
McKnifeCommented:
Sure, normally yes. Most setups have silent deployment methods incorporated so that a solution could look like this:
1 Have a scheduled task run as system account,make it startable (but not changeable by the users)
2 Have it start setup from a certain folder where users have write access to using silent parameters
->it will be installed
3 in order to ensure no user puts a fake setup inside, use software restriction policies or applocker and restrict that folder with the exception of signed executables by that software vendors.

This isn't too complicated.
McKnifeCommented:
"Sound ok?" - no, definitely not, if you would like to maintain a decent security level. It doesn't make a big difference if we make someone admin for a minute or for a lifetime - if he is a little savvy, this will be enough to take over. And you never know if he isn't. That's what security is about. Maintaining enough usability is right on the other end of the scale.
NinjaStyle82Systems AdministratorCommented:
onequick6,

Can you get these updates in .msi files? if so you could just deploy the updates through group policy, and take the user out of the equation.

You could also deploy the software through a logon script if you get an .Exe, even if you cant make it install silently it will run as the local system account if in a login/startup script.

I guess what I'm saying is, its a good idea to not have them as local admin for a lot of reasons, the things McKnife has mentioned are all really unlikely scenarios. You should and probably do have a written computer use policy in your company where the type of behavior mentioned by McKnife is prohibited, and most users generally do not have malicious intent.

 A far more likely scenario is that you will have issues with users installing malware, and adware and toolbars, and background software, and greeting card software and all of the other we hate to see on people's computers.

Even though making them local admins temporarily as opposed to all the time is better, it might still lead to complaints from the user about how sometimes they can do whatever and sometimes they cant, and bla bla. Also like you mentioned it may become a maintenance nightmare.

Hopefully what i said makes sense and isn't just mindless ramblings.
Steve BantzIT ManagerAuthor Commented:
Unfortunately, the software design is such that it checks with the server hosting the app on our network and if there is an update the program will just install them right then.  There is no way to manage that.
McKnifeCommented:
"There is no way to manage that" - sure? nowadays, vendors get more and more security aware. Ask them what the recommended procedure for updating is.
NinjaStyle82Systems AdministratorCommented:
another option is something like procmon to see exactly where the software gets an access denied on a limited account, then granting write permission to domain users to that directory until the updates work correctly and the access denied go away.
Spike99On-Site IT TechnicianCommented:
We did something similar to what NinjaSyle82 suggested, except we created a security group for the app & then gave that group full access to the app folder. That way, only users in that group could launch the app so it could update the files that needed to be updated.
McKnifeCommented:
Assigning write permissions to registry keys and file system can work, but usually doesn't. Installers trigger UAC and UAC doesn't care what you modify.
Steve BantzIT ManagerAuthor Commented:
Well, I have modified my approach a bit.  The problem with this particular application is that it triggers updates to not only files stored in the program files folder, it will install any add-ons, like .net, crystal reports, and other stuff.  The vendor doesn't have anything to work with AD or any other management software.

Here is what I have done:

1. Set a group policy to remove all users from the local administrators group and just have it left with the stock settings.
2. Set a group policy for restricted groups to populate administrators with a Domain group called Computer Admins.
3. Got rid of roaming profiles and went with folder redirection storing folders and files in \\servername\users\username

When an update will occur, my only choice will be to populate the Computer Admins group with the user accounts so they become administrators of their machine while the update takes place when they launch the program on "update day."  When the updates are done, I will just empty the Computer Admins group in AD once again.  No, this isn't best practice but it is my only choice given what I am dealing with.  With roaming profiles being gone from the machine and the documents not being cached on the workstations any longer, it is more secure than it was.  Their folders on the server are secured appropriately to offer the protection I am looking for.

This is just another thing I have to be mindful of.  I already have problems with software updates to other programs due to my group policy in place to prevent malware like Cryptowall from attacking.  It prevents execution of files in temp locations and other directories that these malware programs like to use to do their damage.  I'd much rather deal with inconvenience than the aftermath of an infection.

Thanks for all of the suggestions.  I will distribute the points and hope I divide them appropriately.  :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.