|
Posted by =?Utf-8?B?WmlndWFuYQ==?= on March 14, 2006, 3:00 am
If you were Registered and logged in, you could reply and use other advanced thread options
I have a rather large network and seem to have a few issues with users
permissions, I have read a few articals mentioning that domain users (i
think) should be made a member of the local administrators group on client
machines. Is this normal practise?
Does this not weaken security?
Any advice would be appreciated.
Thanks
|
|
Posted by =?Utf-8?B?SWFu?= on March 14, 2006, 3:29 am
If you were Registered and logged in, you could reply and use other advanced thread options
Yes it weakens security, but the alternative is that you have to install any
new software as Administrator, then (because the Adminsitrator account has
separate settings for everything as well as higher priveleges) reconfigure
the software again as the user. But, if you want to add or remove components,
guess what... By the time you get a new package working as you want it,
you'll have logged-on and off a good few times.
It all depends on cost, as does everything in business; for me the time (and
frustration) costs of having non-Admin users greatly outweigh the costs of
dealing with the odd Trojan or two.
If we could change to Admin security-level without the perforce change of
settings that accompanies it, I'd be the first to advocate limited users.
|
|
Posted by Roger Abell [MVP] on March 14, 2006, 11:39 am
If you were Registered and logged in, you could reply and use other advanced thread options
including compromises and excess support time expended.
It is also a fairly common practice. In part this is due to bad
software that assumes those running it will have all permissions.
In part this is due to lack of time and/or experience on the part
of those deploying an infrastructure (i.e. it works, without any
research or extra efforts)
--
Roger Abell
Microsoft MVP (Windows Server : Security)
>I have a rather large network and seem to have a few issues with users
> permissions, I have read a few articals mentioning that domain users (i
> think) should be made a member of the local administrators group on client
> machines. Is this normal practise?
>
> Does this not weaken security?
>
> Any advice would be appreciated.
>
> Thanks
|
|
Posted by Seeker on March 14, 2006, 12:22 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> I have a rather large network and seem to have a few issues with users
> permissions, I have read a few articals mentioning that domain users (i
> think) should be made a member of the local administrators group on client
> machines. Is this normal practise?
>
> Does this not weaken security?
>
> Any advice would be appreciated.
>
> Thanks
Yes, it weakens security. Having domain users as part of the local
admins group is not consistent with the principle of least privilege and
will lead to many more problems than it solves. Among them:
-Unauthorized software installs. Keeping track of licensed software is
easier if users don't have access to install it.
-More problems with malware such as viruses, worms and spyware
-Higher risk of compromise the local machine due to social engineering
and local exploits
-Increased Help Desk support due to users changing settings
Trust me, this is one battle that's worth it. Normal users absolutely
should NOT need local admin in the vast majority of cases.
Consider also that, with what the articles propose, any domain user can
logon to another desktop and access the information for any other user.
That completely eliminates access control and separation of duties.
For those apps which need more rights, there are several options. You
can use tools such as filemon and regmon to identify only those areas
which the user may need additional rights to. You can ask the vendor
why their app doesn't adhere to Microsoft's own programming standards
and ask for a workaround or patch (it's a bug). You can go to sites
such as nonadmin.editme.com for even more tips and tools.
I help to administer an environment with over 600 XP workstations and
less than a dozen people have local admin. The result has been a MUCH
easier environment to manage and the users all can do their job. They
will grips at first, but hold your ground. It's not about what they
want, it's about what they need and what is best for the business.
|
| Similar Threads | Posted | | domain users added to local administrators cannot use the IPSEC certification of administrator? | February 9, 2006, 12:26 am |
| local administrator. power user or users.....thanks. | May 4, 2006, 11:12 am |
| Domain User -> Configure as Local Administrator | December 10, 2005, 12:51 am |
| Find all members of local groups (Local Administrators in all doma | June 6, 2007, 5:55 pm |
| VPN Security, locking out non domain members | July 15, 2006, 8:04 am |
| Restrict LAN access to non-members of my domain. | December 4, 2008, 8:58 am |
| getting IPSec Certificates for VPN access for non domain members | January 4, 2007, 11:02 am |
| Giving access to a share folder in domain A to users in Domain B | May 17, 2007, 2:22 pm |
| Domain user is seen as domain administrator? | May 30, 2006, 8:30 am |
| Local Administrator Password | December 22, 2005, 11:09 am |
|
XML site map