Re: Peeling off desktop Administrator Rights

[Eric Case <ecase () EMAIL ARIZONA EDU>]

BeyondTrust's Privilege Manager is nice, not prefect, but very nice.  If you take a look at it you should also look at 
Avecto's Privilege Guard.
-Eric


Eric Case, CISSP
eric (at) ericcase (dot) com
http://www.linkedin.com/in/ericcase

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Shalla
> Sent: Monday, December 07, 2009 9:22 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Peeling off desktop Administrator Rights
>
> Although I haven't tried it, I saw a very
> interesting demonstration by BeyondTrust of their
> product Privilege Manager whereby the user gets
> user rights to everything except the applications
> the Active Directory administrator identifies as
> requiring administrator rights.  So it's the
> opposite of the dougzuck plan.  If I get some
> time I'll probably work on getting it.
>
> At 10:39 AM 12/5/2009, Michael Stanclift wrote:
> > Politics
> >
> > Michael Stanclift
> > Network Analyst
> > Rockhurst University
> >
> > http://help.rockhurst.edu
> > (816) 501-4231
> >
> > PThink before you print!
> > ________________________________________
> > From: The EDUCAUSE Security Constituent Group
> > Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On
> > Behalf Of Eric Case [ecase () EMAIL ARIZONA EDU]
> > Sent: Friday, December 04, 2009 10:57 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Peeling off desktop Administrator Rights
> >
> > Why not just make users, users and remove admin
> > rights altogether?  There are very few programs
> > anymore anymore that require admin right to
> > run.  The only two I can think of off the top of
> > my head are Meeting Maker (it caches the
> > calendars in its folder) and old installs of
> > Eudora (where the mail is stored in the Eduora folder).
> > -Eric
> >
> >
> >
> > Eric Case, CISSP
> > eric (at) ericcase (dot) com
> > http://www.linkedin.com/in/ericcase
> >
> >
> > > -----Original Message-----
> > > From: The EDUCAUSE Security Constituent Group Listserv
> > > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Stanclift,
> Michael
> > > Sent: Friday, December 04, 2009 9:20 AM
> > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > Subject: Re: [SECURITY] Peeling off desktop Administrator Rights
> > >
> > > Another interesting option I saw, that I don't think it documented
> in
> > > the linked guide, is you can allow local administrators to bypass
> the
> > > rules, which is helpful in our situation where the  users are Power
> > > Users but our technicians may find the restrictions we'd place on
> them
> > > limiting. (Not being able to run Windows Updates from IE or install
> > > programs through ActiveX, etc)
> > >
> > > Under Computer Configuration > Policies > Windows Settings >
> Software
> > > Restriction Policies > Enforcement ... change to "All users except
> > > local administrators"
> > >
> > > Michael Stanclift
> > > Network Analyst
> > > Rockhurst University
> > >
> > > http://help.rockhurst.edu
> > > (816) 501-4231
> > >
> > > Help keep our campus green, think before you print!
> > > RUCS will never ask you for your password!
> > >
> > >
> > > -----Original Message-----
> > > From: The EDUCAUSE Security Constituent Group Listserv
> > > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tupker, Mike
> > > Sent: Friday, December 04, 2009 10:03 AM
> > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > Subject: Re: [SECURITY] Peeling off desktop Administrator Rights
> > >
> > > This is very intriguing. I imagine that this would also limit
> active
> > > installs in IE the way a standard user would be limited.
> > >
> > > -----Original Message-----
> > > From: The EDUCAUSE Security Constituent Group Listserv
> > > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Hanson
> > > Sent: Friday, December 04, 2009 8:43 AM
> > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > Subject: Re: [SECURITY] Peeling off desktop Administrator Rights
> > >
> > > Todd,
> > >
> > > This article explains how to drop user rights from applications. I
> have
> > > been testing it and it works well. We are on Windows XP here. I
> created
> > > a reg file from the instructions and we are going to roll this out
> to
> > > our faculty and staff to drop browser user rights to help slowdown
> > > browser malware infections. You should be able to use this to drop
> the
> > > rights of any application.
> > >
> > > It is not fool proof and there are some issues that the lack of
> Admin
> > > user causes. It is however, one more layer of defense in the never
> > > ending battle.
> > >
> > > http://dougzuck.com/decrease-malware-infections-using-software-
> > > restriction-policies
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Mike Hanson
> > > Network Security Manager
> > > The College of St. Scholastica
> > > Duluth, MN 55811
> > >
> > > (218)-723-7097
> > > mhanson () css edu
> > > > > > "Plesco, Todd" <tplesco () CHAPMAN EDU> 12/3/2009 5:27 PM >>>
> > > Does anyone know of a product/application (rather than the orthodox
> and
> > > typical Active Directory method) which removes Microsoft
> > > "Administrator"
> > > group rights from users to be replaced with "User" or "Power User"
> > > group rights without impacting existing applications which were
> > > installed with Administrator privilege?
> > >
> > > One of our desktop managers is looking for the "easy" application
> based
> > > method to do this without bringing in a full Active Directory GPO &
> OU
> > > development project.  The end result being sought is that further
> > > applications may not be installed by users but existing
> applications
> > > will still function.
> > >
> > > Todd A. Plesco  CISM, CBCP
> > > Chapman University, Director of Information Security One University
> > > Drive, Orange, CA 92866
> > > Phone: (714) 744-7979/Fax: (714) 744-7041