Security Basics mailing list archives

RE: avoid using domain admin account installing programs

From: "Andrew Shore" <andrew.shore () holistecs com>
Date: Fri, 27 May 2005 08:59:59 +0100

I know I tend to recommend this a lot but in this case I can say hand on
heart that I've done it on many occasions. 

Script logic is a login script tool which runs on the local workstation
with elevated rights and will allow login scripts to do things users can
not and, to my knowledge, there is no way for the user to gain elevated
privilege during script execution.

HTH

www.scriptlogic.com 


-----Original Message-----
From: Laurence Field [mailto:laurence_field () yahoo com] 
Sent: 26 May 2005 07:01
To: security-basics () securityfocus com
Subject: avoid using domain admin account installing programs



Hi list

I am observing a  project that requires installing a HDD encryption
software on 1000's of laptops. A team is currently researching various
installation methods, and the easiest has been to give test users a user
name and password (installer account) with instructions to log into the
domain using this account. The acount has a log in script & very limited
desktop & applications settings etc. ie. you can log on but run no
programs, and do nothing on the desktop. This is for XP, 2000 & NT40
clients, that will run a few required operations ie. scandisk etc., copy
the setup file on local PCs, then run the setup program. After the setup
is finished, the PC automatically reboots and the HDD software is then
installed and complete. The problem is the account they propose to use
to install this program is a domain admin account. An obvious risk is
although users cannot do anything if they login to this account (except
install the HDD software) savvy users can use this account to do an
 ything they want ie. net use etc. 

Does anybody have a better way to copy programs on a PC (NT40, XP), then
run the program as a domain admin, without the user needing to know the
domain admin account name & password? Group policy I am told in not an
option as we have NT40 laptops. 

I am sure there are better way to securely install this software. Any
tips, pointers, URLs would be appreciative.  

Thank you

LF

Current thread:

avoid using domain admin account installing programs Laurence Field (May 26)
- <Possible follow-ups>
- RE: avoid using domain admin account installing programs Andrew Shore (May 27)