Educause Security Discussion mailing list archives
Re: Peeling off desktop Administrator Rights
From: Eric Case <ecase () EMAIL ARIZONA EDU>
Date: Mon, 7 Dec 2009 11:49:09 -0700
BeyondTrust's Privilege Manager is nice, not prefect, but very nice. If you take a look at it you should also look at Avecto's Privilege Guard. -Eric Eric Case, CISSP eric (at) ericcase (dot) com http://www.linkedin.com/in/ericcase
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Shalla Sent: Monday, December 07, 2009 9:22 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Peeling off desktop Administrator Rights Although I haven't tried it, I saw a very interesting demonstration by BeyondTrust of their product Privilege Manager whereby the user gets user rights to everything except the applications the Active Directory administrator identifies as requiring administrator rights. So it's the opposite of the dougzuck plan. If I get some time I'll probably work on getting it. At 10:39 AM 12/5/2009, Michael Stanclift wrote:Politics Michael Stanclift Network Analyst Rockhurst University http://help.rockhurst.edu (816) 501-4231 PThink before you print! ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric Case [ecase () EMAIL ARIZONA EDU] Sent: Friday, December 04, 2009 10:57 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Peeling off desktop Administrator Rights Why not just make users, users and remove admin rights altogether? There are very few programs anymore anymore that require admin right to run. The only two I can think of off the top of my head are Meeting Maker (it caches the calendars in its folder) and old installs of Eudora (where the mail is stored in the Eduora folder). -Eric Eric Case, CISSP eric (at) ericcase (dot) com http://www.linkedin.com/in/ericcase-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Stanclift,MichaelSent: Friday, December 04, 2009 9:20 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Peeling off desktop Administrator Rights Another interesting option I saw, that I don't think it documentedinthe linked guide, is you can allow local administrators to bypasstherules, which is helpful in our situation where the users are Power Users but our technicians may find the restrictions we'd place onthemlimiting. (Not being able to run Windows Updates from IE or install programs through ActiveX, etc) Under Computer Configuration > Policies > Windows Settings >SoftwareRestriction Policies > Enforcement ... change to "All users except local administrators" Michael Stanclift Network Analyst Rockhurst University http://help.rockhurst.edu (816) 501-4231 ïHelp keep our campus green, think before you print! ïƒRUCS will never ask you for your password! -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tupker, Mike Sent: Friday, December 04, 2009 10:03 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Peeling off desktop Administrator Rights This is very intriguing. I imagine that this would also limitactiveinstalls in IE the way a standard user would be limited. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Hanson Sent: Friday, December 04, 2009 8:43 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Peeling off desktop Administrator Rights Todd, This article explains how to drop user rights from applications. Ihavebeen testing it and it works well. We are on Windows XP here. Icreateda reg file from the instructions and we are going to roll this outtoour faculty and staff to drop browser user rights to help slowdown browser malware infections. You should be able to use this to droptherights of any application. It is not fool proof and there are some issues that the lack ofAdminuser causes. It is however, one more layer of defense in the never ending battle. http://dougzuck.com/decrease-malware-infections-using-software- restriction-policies Mike Hanson Network Security Manager The College of St. Scholastica Duluth, MN 55811 (218)-723-7097 mhanson () css edu"Plesco, Todd" <tplesco () CHAPMAN EDU> 12/3/2009 5:27 PM >>>Does anyone know of a product/application (rather than the orthodoxandtypical Active Directory method) which removes Microsoft "Administrator" group rights from users to be replaced with "User" or "Power User" group rights without impacting existing applications which were installed with Administrator privilege? One of our desktop managers is looking for the "easy" applicationbasedmethod to do this without bringing in a full Active Directory GPO &OUdevelopment project. The end result being sought is that further applications may not be installed by users but existingapplicationswill still function. Todd A. Plesco CISM, CBCP Chapman University, Director of Information Security One University Drive, Orange, CA 92866 Phone: (714) 744-7979/Fax: (714) 744-7041
Current thread:
- Re: Peeling off desktop Administrator Rights, (continued)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 04)
- Re: Peeling off desktop Administrator Rights Plesco, Todd (Dec 04)
- Re: Peeling off desktop Administrator Rights Stanclift, Michael (Dec 05)
- Re: Peeling off desktop Administrator Rights Stanclift, Michael (Dec 07)
- Re: Peeling off desktop Administrator Rights Kevin Shalla (Dec 07)
- Re: Peeling off desktop Administrator Rights randy marchany (Dec 07)
- Re: Peeling off desktop Administrator Rights Gary Dobbins (Dec 07)
- Re: Peeling off desktop Administrator Rights Dave Kovarik (Dec 07)
- Re: Peeling off desktop Administrator Rights Plesco, Todd (Dec 07)
- Re: Peeling off desktop Administrator Rights Iovino, Gabriel G (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights David Escalante (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights Stanclift, Michael (Dec 07)
- Re: Peeling off desktop Administrator Rights randy marchany (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights Flynn, Gerald (Dec 07)
- Re: Peeling off desktop Administrator Rights Flynn, Gerald (Dec 07)
- Re: Peeling off desktop Administrator Rights Flynn, Gerald (Dec 07)
(Thread continues...)