Re: Local Admin Accounts

[Guy Pace <gpace () SBCTC EDU>]

Dropping everyone to basic user would have been my preference. But, remember this was back in the early dark ages of 
Win2k and AD. We still had to deal with production applications that were based on Win95 design practices. PowerUser 
was a compromise that we had to live with for a while. Today, it should not be a problem.

Guy L. Pace, CISSP 
Security Administrator
Information Technology Division
WA State Board for Community and Technical Colleges (SBCTC) 
3101 Northup Way, Suite 100 
Bellevue, WA 98004 
425-803-9724 
gpace () sbctc edu 


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary 
Flynn
Sent: Wednesday, September 16, 2009 11:38 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Local Admin Accounts

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Guy Pace
> Sent: Wednesday, September 16, 2009 2:04 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Local Admin Accounts
>
> We dropped _all_
> users to power users, removed access to local policy and made sure that
> domain admin group was part of the local admin group.

I'm surprised you saw a lot of benefits just dropping the users
to power users rather than all the way to regular users. If
I remember correctly, power users can modify the HKEY local
system registry RUN entries to persist, add files to the windows 
directory, add various browser extensions, and a lot of other 
things most malware tries to do.