Security Basics mailing list archives
RE: Removing Local Admin Rights...
From: "Craig, Jason" <jcraig () ucdavis edu>
Date: Thu, 27 May 2004 10:29:39 -0700
Jay, None of our users have admin rights. Most apps will run fine. We've run into quirks with label printer software, and the usual problems with Adobe apps but we've been able to make things run without any problems. Most things are well documented, and if they're not regmon and filemon are your friends. We've been running this way for 3+ years and it has made our lives much easier. -j -----Original Message----- From: KEN MORRIS [mailto:KMORRIS () kpl org] Sent: Tuesday, May 25, 2004 12:42 PM To: Jay Lopez; security-basics () lists securityfocus com Subject: RE: Removing Local Admin Rights... Jay, First thing I would do would be to check to see if there is any non-M$ programs installed that are needed in the organization. IF there are, thoroughly test those programs under both O/S before removing local admin rights. Some software will run only under local admin user accounts. I have tried here and found that in certain programs there is no work around other than local admin to allow users to run the software. Even setting them as power users does not work. Regards, Ken -----Original Message----- From: Jay Lopez [mailto:jlopez_si86 () hotmail com] Sent: Tuesday, May 25, 2004 9:48 AM To: security-basics () lists securityfocus com Subject: Removing Local Admin Rights... I currently work for an organization with approximately 25,000 Windows XP/2000 desktops in an Active Directory (AD) environment. Security from an OS and individual application component (i.e., Outlook 2003, MS Office, IE, etc.) perspective is being managed via group policy objects (GPO's). Currently, we are pushing to remove local administrator access rights to individual machines to prevent users from randomly installing unapproved applications, prevent malware from being silently installed within the local administrator context, etc. Prior to our move to AD and GPO's, we received push-back on removing local admin rights for reasons such as the logon scripts would not work, etc. By chance, have any of you implemented any of the above--especially the removal of local administrator rights? If so, what support issues did you experience? What impact did removing local admin rights have? I'd like to provide as many pros and cons back to our team based on your feedback. Thanks in advance, Jay Lopez _________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Removing Local Admin Rights... Jay Lopez (May 25)
- Re: Removing Local Admin Rights... Murad Talukdar (May 28)
- Re: Removing Local Admin Rights... Simon Taplin (May 31)
- <Possible follow-ups>
- RE: Removing Local Admin Rights... KEN MORRIS (May 26)
- Re: Removing Local Admin Rights... Barrie Dempster (May 27)
- Re: Removing Local Admin Rights... Tom Stowell (May 26)
- Re: Removing Local Admin Rights... Brian Dunbar (May 27)
- RE: Removing Local Admin Rights... Craig, Jason (May 27)
- Re: Removing Local Admin Rights... Simon Taplin (May 31)
- RE: Removing Local Admin Rights... Robinson, Sonja (May 27)
- DNS and SMTP kaps lock (May 28)
- Re: DNS and SMTP Byron Copeland (May 31)
- Re: DNS and SMTP Chris Moody (May 31)
- Re: DNS and SMTP Russell J. Wood (May 31)
- DNS and SMTP kaps lock (May 28)
- RE: Removing Local Admin Rights... Daszczyszak, Roman L. SPC (1AD 501 MI BN ACE IMO) (May 29)
- Re: Removing Local Admin Rights... Murad Talukdar (May 28)