Windows Security

[Guest]

Hello,

My name is Freddy Bhagalia. I am working as a System Administrator in an
Organisation. We are into Freight Forwarding business. We have 300 plus
Computers in our Organisation and I am the Administrator of these Computers.

I was having a technical discussion with my boss (CIO of the Company). The
discussion was on "Should we give Administrator rights of the local Computer,
to the User who is the owner of that Computer.

He thinks that we should give all the Users, Administrator rights.

I am extremely against this and am arguably not in favour of that. According
to me if the Admin rights of the Computer is been given to the Users, they
can put serious problems to their own Computers and the Network. Ultimately,
the Administrator has to face the music of the Users doings.

Please let me know your views on the same as I am in a fix, on to go about
what my boss had asked me for or should I be firm on my statement to my boss
“Not to give Administrator Rights to the Users".

Regards

Freddy.Bhagalia

Jan 22

email add: (e-mail address removed)

 

[Steven L Umbach]

Hi Freddy.

I agree with you that unless there is a compelling reason regular domain
users should not be local administrators on their computers. Being a local
administrator does not give that user any special powers in the domain but
they can certainly screw up their computers in the following ways as
examples.

-- Delaying/denying the install of critical updates.
-- Installing unauthorized software including fileswap programs and
alternate web browsers.
-- Unjoining the computer from the domain or creating a local account to
logon to for the purpose of avoiding Group Policy or scripts.
-- Modifying the HKLM registry for whatever stupid reason they read or hear
about.
-- Reconfiguring tcp/ip settings.
-- Playing around with service settings.
-- Disabling, modifying settings, for or uninstalling antivirus programs.
-- More potential for malware such as trojans if operating the computer as
an administrator.
-- Modifying or disabling any personal firewalls.
-- Removing the domain admins group from the local administrators group in
an attempt to lock you out.
-- Enabling unauthorized services such as IIS or telent that can be a
security risk.
-- Modifying users/groups and access control lists to allow unauthorized
users access to the computer.
-- Changing the system time which can cause problems with kerberos.

The list goes on but that should be a good start. If he insists tell him you
are going to need a much larger budget to support the problems that will
ensue including possible large increases in malware attacks on all the
computers in the network from an infected computer and for rebuilding
misconfigured and infected workstations. --- Steve

 

[Roger Abell]

When there is use of administrator powers by the client machine
owner login, it usually derives from one of two things.
1. the organization recently updated from Win9x and so this is the
way to simulate what they are used to, were everyone can do
anything to "their" machine
or
2. there are one or more things that cannot, off-the-shelf, be done
by the users of the machines, and the belief is that they need to
be able to do it. This may be install software at will, adjust
the system time, run application X, etc.

1 is not a good reason. Because one has always lived in a high risk
fashion is not in itself a good reason to argue that one should continue
to live in such fashion.

In the case of 2, some reasons can be removed by spending the time
to find the way by which a limited account can do the thing. Many
applications that are resistant to running as non-admin can be made
to do so. Many thing users believe they should be able to do at will
are on closer examination, not really needed or unsafe (sort of a
variant of 1).

There are very many reasons not to do as you are being asked.
These include prevention of problems on the desktop which may
result in loss of productivity and also in loss of corporate private
information. These also include impacts on the larger environment
that become possible once one considers the effects from an internal
and compromised desktop.

If at all possible, resist. Find out the list of specific reasons why
they should be admins, and then address each one in turn.
If you are told they will be admins, then stand your ground on, as
you have said
"

the Administrator has to face the music of the Users doings.

"
that is, If they are admins, let them manage and clean-up their boxes.

Finally, if you have to do this, do this. However, look around for
somewhere to work where the environment is supportive of your
doing your job. Perhaps, when you loose the discussion, and are
about to do this, you conld advise that they do not need a hired
full-time network administrator, but they now need (perhap in
addition) a desktop janitor (and that comment does not include
impacts on overall networked systems health, server risks, etc.).

 

[Charlie Tame]

Hello,

My name is Freddy Bhagalia. I am working as a System Administrator in an
Organisation. We are into Freight Forwarding business. We have 300 plus
Computers in our Organisation and I am the Administrator of these
Computers.

I was having a technical discussion with my boss (CIO of the Company). The
discussion was on "Should we give Administrator rights of the local
Computer,
to the User who is the owner of that Computer.

He thinks that we should give all the Users, Administrator rights.

Freddy

I am not a pro nowadays by any means but I do follow the subject and common
trends.

Your Boss needs to consider something very important. If you join the IE
newsgroups you will find that literally thousands of problems are cause by
"Spyware" and "Adware", that is stuff installed by other programs in order
to raise revenue for the authors / distributors.

This if fine until each PC has 3 or 4 such systems installed and then things
"Seem" to stop working. It's common to say "My IE has quit" but the reality
is that something has damaged it.

If you consider 3 ad downloads per hour per machine or whatever there IS an
impact on network traffic, but the biggest impact will be the fact that
users with their personal little "Favorites" will have you running around
like a madman trying to fight "Fires" all over the place.

Some of these systems are a real pain in the neck to remove, and often
removal risks loss of connectivity and information.

Give your boss this link and invite him to see the problems, day in, day
out.
news://news.microsoft.com/microsoft.public.windows.inetexplorer.ie6.browser

I have no problem with users running things for use at breaktimes etc, such
as Yahoo, or ICQ messengers etc, but even these need to be installed with
your approval else how can you fix problems if you don't know anything about
the software. Encourage a friendly rapport with users so they don't mind
asking you, then you can explain pleasantly any objections you might have.

You also need to restrict the ability to run unsigned activex controls and
stuff. I've had very few problems with 2k server or XP yet to some here I
run "Carelessly" because I allow signed stuff. If you study the IEAK
(Explorer deployment kit) that can help you set up a consistent network with
safety restrictions yet still remain flexible if not 100% secure. Of course
if users have full admin rights they simply undo you precautions and never
ask if it's safe because they don't have to ask. This is an important
educational factor because if it won't work and they have to ask you, you
can explain the risks

There is no "Right or Wrong" here in my humble opinion, it may be good to
give sensible users admin rights, but there are a lot of problems waiting
for the unwary.

Right now I think the biggest single hazard is actually spyware and adware,
not because it's inherently malicious but because it's bundled with so many
things and not very well written, it also uses "Exploits" which is not a
responsible business method.

Feel free to print this out and invite your boss to visit the IE groups.

Charlie Tame
MVP IE/OE (When I can find time)