Security Basics mailing list archives
RE: Removing Local Admin Rights...
From: "Robinson, Sonja" <SRobinson () HIPUSA com>
Date: Thu, 27 May 2004 11:46:43 -0400
Yes, we are/did the same (LAR, disallowing untested/unapproved s/w). We received pushback but the reality is, one personson convenience is 20 people's OT to patch and clean viruses. To back up your position, for each incident you have, document it's cost in man hours, food, OT, travel home/limo, hardware, investigation time, everything. One small incident of 15 workstations can cost a significant amount of time and money. Frankly, the prevention can be a little time consuming and a bit of a hassle at times but it is well worth the price. Especially when your IT group hasn't slept for days becaus of patching. Also, the long hours reduces morale and you'll lose good technical people. In some cases, there are apps that "require" LAR to run. We don't allow that. We actually write scripts to fix this if the vendor won't although why vendors continue to code like this is beyond me. These apps really should not require this to run, i.e. Broderbund ClipArt among others. You can block USB devices too. We are implementing this as well. NO removable media, no non-standard s/w, no LAR without InfoSec approval. It's reality now. -----Original Message----- From: Tom Stowell [mailto:jts () deforest k12 wi us] Sent: Tuesday, May 25, 2004 3:42 PM To: jlopez_si86 () hotmail com; security-basics () lists securityfocus com Subject: Re: Removing Local Admin Rights... We're a bit smaller -- 1,000 desktops running Win2k. We instituted a policy like yours about two years ago. We run into problems with USB devices, and need to install but other than that our experience has been positive. Since we instituted the policy, support requests are down about 35%. Tom Stowell Network Administrator DeForest Area School District 520 E. Holum St. DeForest, WI 53532 Fax: (608)-842-6545 Voice: (608)-842-6500 Email: <jts () deforest k12 wi us> console, n. [From latin consolatio(n) "comfort, spiritual solace."] A device for displaying or printing condolances or obituaries for the operator. -- Stan Kelly-Bootle, The Computer Contradictionary.
"Jay Lopez" <jlopez_si86 () hotmail com> 05/25/04 08:48AM >>>
I currently work for an organization with approximately 25,000 Windows XP/2000 desktops in an Active Directory (AD) environment. Security from an OS and individual application component (i.e., Outlook 2003, MS Office, IE, etc.) perspective is being managed via group policy objects (GPO's). Currently, we are pushing to remove local administrator access rights to individual machines to prevent users from randomly installing unapproved applications, prevent malware from being silently installed within the local administrator context, etc. Prior to our move to AD and GPO's, we received push-back on removing local admin rights for reasons such as the logon scripts would not work, etc. By chance, have any of you implemented any of the above--especially the removal of local administrator rights? If so, what support issues did you experience? What impact did removing local admin rights have? I'd like to provide as many pros and cons back to our team based on your feedback. Thanks in advance, Jay Lopez _________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar – get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- CONFIDENTIALITY NOTICE: This e-mail transmission, including any attachments to it, may contain confidential information or protected health information subject to privacy regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This transmission is intended only for the use of the recipient(s) named above. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in this transmission is STRICTLY PROHIBITED. If you have received this transmission in error, please immediately notify me by reply e-mail and destroy the original transmission in its entirety without saving it in any manner. --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Removing Local Admin Rights... Jay Lopez (May 25)
- Re: Removing Local Admin Rights... Murad Talukdar (May 28)
- Re: Removing Local Admin Rights... Simon Taplin (May 31)
- <Possible follow-ups>
- RE: Removing Local Admin Rights... KEN MORRIS (May 26)
- Re: Removing Local Admin Rights... Barrie Dempster (May 27)
- Re: Removing Local Admin Rights... Tom Stowell (May 26)
- Re: Removing Local Admin Rights... Brian Dunbar (May 27)
- RE: Removing Local Admin Rights... Craig, Jason (May 27)
- Re: Removing Local Admin Rights... Simon Taplin (May 31)
- RE: Removing Local Admin Rights... Robinson, Sonja (May 27)
- DNS and SMTP kaps lock (May 28)
- Re: DNS and SMTP Byron Copeland (May 31)
- Re: DNS and SMTP Chris Moody (May 31)
- Re: DNS and SMTP Russell J. Wood (May 31)
- DNS and SMTP kaps lock (May 28)
- RE: Removing Local Admin Rights... Daszczyszak, Roman L. SPC (1AD 501 MI BN ACE IMO) (May 29)
- Re: Removing Local Admin Rights... Murad Talukdar (May 28)