Security best practice help!!! local admin addition!

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hello everyone,

I would like everyones opinion on a subject of extreme importance to me.
Right now my companies computers are setup so that all users are ONLY
members of the local users group to enforce security accross the network,
reduce support costs and is an overal good practice to follow. This is all
about to change for me. We are in the process of consolodating domain and
with this my IT managers want to add everyone to make them members of the
local administrators group!!! I strongly disagree with this and did not
make this recommendation. I am trying to prevent this from happening to my
network as I dont think this is in the best interest for the
network/company. Please give me your opinions on this and what your
companies do. Any links to articles with reasons why this is not a good
idea would be greatly appreciated and MVP/MSFT person's opinions would be
great!

Phil
7 answers Last reply
More about security practice help local admin addition
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    What is the reason they are giving for making everyone local admin?

    DDS W 2k MVP MCSE

    "Philip Nunn" <bigphil@newsgroups.nospam> wrote in message
    news:eVmeUhc8EHA.3476@TK2MSFTNGP15.phx.gbl...
    > Hello everyone,
    >
    > I would like everyones opinion on a subject of extreme importance to me.
    > Right now my companies computers are setup so that all users are ONLY
    > members of the local users group to enforce security accross the network,
    > reduce support costs and is an overal good practice to follow. This is
    all
    > about to change for me. We are in the process of consolodating domain and
    > with this my IT managers want to add everyone to make them members of the
    > local administrators group!!! I strongly disagree with this and did not
    > make this recommendation. I am trying to prevent this from happening to
    my
    > network as I dont think this is in the best interest for the
    > network/company. Please give me your opinions on this and what your
    > companies do. Any links to articles with reasons why this is not a good
    > idea would be greatly appreciated and MVP/MSFT person's opinions would be
    > great!
    >
    > Phil
    >
    >
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    They say it will decrease support costs (dont ask me how they came to that
    conclusion. They have gotten some REALLY bad information from several
    individuals here).

    Phil

    "Danny Sanders" <Danny.Sanders@NO-SPAMcpcmed.org> wrote in message
    news:e4Geplc8EHA.1524@TK2MSFTNGP09.phx.gbl...
    > What is the reason they are giving for making everyone local admin?
    >
    > DDS W 2k MVP MCSE
    >
    > "Philip Nunn" <bigphil@newsgroups.nospam> wrote in message
    > news:eVmeUhc8EHA.3476@TK2MSFTNGP15.phx.gbl...
    >> Hello everyone,
    >>
    >> I would like everyones opinion on a subject of extreme importance to me.
    >> Right now my companies computers are setup so that all users are ONLY
    >> members of the local users group to enforce security accross the network,
    >> reduce support costs and is an overal good practice to follow. This is
    > all
    >> about to change for me. We are in the process of consolodating domain
    >> and
    >> with this my IT managers want to add everyone to make them members of the
    >> local administrators group!!! I strongly disagree with this and did not
    >> make this recommendation. I am trying to prevent this from happening to
    > my
    >> network as I dont think this is in the best interest for the
    >> network/company. Please give me your opinions on this and what your
    >> companies do. Any links to articles with reasons why this is not a good
    >> idea would be greatly appreciated and MVP/MSFT person's opinions would be
    >> great!
    >>
    >> Phil
    >>
    >>
    >
    >
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    > They say it will decrease support costs

    Considering the fact that elevation of privileges (getting admin privileges)
    is one step a hacker will attempt after getting access to a system, they
    will succeed in cutting down the work a hacker has to do.

    Considering the fact that if a user clicked on a virus, the virus will run
    under the user's account. If that user has admin privileges for that
    computer, they can format the C drive. A virus running under that user's
    account can also.

    This also does not conform to MS best practices. You should give users the
    least amount of permission required to do their job.

    As local admin the user can change settings to take the computer completely
    off the network. I can't see how making them local admin can do anything
    except cause more work.


    hth
    DDS W 2k MVP MCSE

    "Philip Nunn" <bigphil@newsgroups.nospam> wrote in message
    news:uLwdVpc8EHA.2180@TK2MSFTNGP12.phx.gbl...
    > They say it will decrease support costs (dont ask me how they came to that
    > conclusion. They have gotten some REALLY bad information from several
    > individuals here).
    >
    > Phil
    >
    > "Danny Sanders" <Danny.Sanders@NO-SPAMcpcmed.org> wrote in message
    > news:e4Geplc8EHA.1524@TK2MSFTNGP09.phx.gbl...
    > > What is the reason they are giving for making everyone local admin?
    > >
    > > DDS W 2k MVP MCSE
    > >
    > > "Philip Nunn" <bigphil@newsgroups.nospam> wrote in message
    > > news:eVmeUhc8EHA.3476@TK2MSFTNGP15.phx.gbl...
    > >> Hello everyone,
    > >>
    > >> I would like everyones opinion on a subject of extreme importance to
    me.
    > >> Right now my companies computers are setup so that all users are ONLY
    > >> members of the local users group to enforce security accross the
    network,
    > >> reduce support costs and is an overal good practice to follow. This is
    > > all
    > >> about to change for me. We are in the process of consolodating domain
    > >> and
    > >> with this my IT managers want to add everyone to make them members of
    the
    > >> local administrators group!!! I strongly disagree with this and did
    not
    > >> make this recommendation. I am trying to prevent this from happening
    to
    > > my
    > >> network as I dont think this is in the best interest for the
    > >> network/company. Please give me your opinions on this and what your
    > >> companies do. Any links to articles with reasons why this is not a
    good
    > >> idea would be greatly appreciated and MVP/MSFT person's opinions would
    be
    > >> great!
    > >>
    > >> Phil
    > >>
    > >>
    > >
    > >
    >
    >
  4. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    > This also does not conform to MS best practices. You should give users
    > the least amount of permission required to do their job.

    Danny is correct, allowing users to be local admins is against our recommendations.

    Furthermore: in the vast majority of cases, massive network-wide infections
    happen because users run as local admins. Our customers who don't do this
    generally don't have problems with worms and viruses.

    Consider making an economic argument, which might help. If you switch to
    all local admins, and next week some worm comes out, and every single one
    of your computers gets whacked, determine what it would cost to recover from
    that. Be sure to include your salary (converted to an hourly wage), the median
    salaries of every employee (again converted to hourly), an estimate of the
    amout of lost business, and the costs of delaying any other work.

    Steve Riley
    steriley@microsoft.com


    >> They say it will decrease support costs
    >>
    > Considering the fact that elevation of privileges (getting admin
    > privileges) is one step a hacker will attempt after getting access to
    > a system, they will succeed in cutting down the work a hacker has to
    > do.
    >
    > Considering the fact that if a user clicked on a virus, the virus will
    > run under the user's account. If that user has admin privileges for
    > that computer, they can format the C drive. A virus running under that
    > user's account can also.
    >
    > This also does not conform to MS best practices. You should give users
    > the least amount of permission required to do their job.
    >
    > As local admin the user can change settings to take the computer
    > completely off the network. I can't see how making them local admin
    > can do anything except cause more work.
    >
    > hth
    > DDS W 2k MVP MCSE
    > "Philip Nunn" <bigphil@newsgroups.nospam> wrote in message
    > news:uLwdVpc8EHA.2180@TK2MSFTNGP12.phx.gbl...
    >
    >> They say it will decrease support costs (dont ask me how they came to
    >> that conclusion. They have gotten some REALLY bad information from
    >> several individuals here).
    >>
    >> Phil
    >>
    >> "Danny Sanders" <Danny.Sanders@NO-SPAMcpcmed.org> wrote in message
    >> news:e4Geplc8EHA.1524@TK2MSFTNGP09.phx.gbl...
    >>
    >>> What is the reason they are giving for making everyone local admin?
    >>>
    >>> DDS W 2k MVP MCSE
    >>>
    >>> "Philip Nunn" <bigphil@newsgroups.nospam> wrote in message
    >>> news:eVmeUhc8EHA.3476@TK2MSFTNGP15.phx.gbl...
    >>>
    >>>> Hello everyone,
    >>>>
    >>>> I would like everyones opinion on a subject of extreme importance
    >>>> to
    >>>>
    > me.
    >
    >>>> Right now my companies computers are setup so that all users are
    >>>> ONLY members of the local users group to enforce security accross
    >>>> the
    >>>>
    > network,
    >
    >>>> reduce support costs and is an overal good practice to follow.
    >>>> This is
    >>>>
    >>> all
    >>>
    >>>> about to change for me. We are in the process of consolodating
    >>>> domain
    >>>> and
    >>>> with this my IT managers want to add everyone to make them members
    >>>> of
    > the
    >
    >>>> local administrators group!!! I strongly disagree with this and
    >>>> did
    >>>>
    > not
    >
    >>>> make this recommendation. I am trying to prevent this from
    >>>> happening
    >>>>
    > to
    >
    >>> my
    >>>
    >>>> network as I dont think this is in the best interest for the
    >>>> network/company. Please give me your opinions on this and what
    >>>> your companies do. Any links to articles with reasons why this is
    >>>> not a
    >>>>
    > good
    >
    >>>> idea would be greatly appreciated and MVP/MSFT person's opinions
    >>>> would
    >>>>
    > be
    >
    >>>> great!
    >>>>
    >>>> Phil
    >>>>
  5. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Philip Nunn wrote:
    > Hello everyone,
    >
    > I would like everyones opinion on a subject of extreme importance to me.
    > Right now my companies computers are setup so that all users are ONLY
    > members of the local users group to enforce security accross the network,
    > reduce support costs and is an overal good practice to follow. This is all
    > about to change for me. We are in the process of consolodating domain and
    > with this my IT managers want to add everyone to make them members of the
    > local administrators group!!! I strongly disagree with this and did not
    > make this recommendation. I am trying to prevent this from happening to my
    > network as I dont think this is in the best interest for the
    > network/company. Please give me your opinions on this and what your
    > companies do. Any links to articles with reasons why this is not a good
    > idea would be greatly appreciated and MVP/MSFT person's opinions would be
    > great!
    >
    > Phil
    >
    >


    As long as your management is also planning to triple your IT staff to
    clean up behind everyone, it should be their decision.

    --

    Bruce Chambers

    Help us help you:
    http://dts-l.org/goodpost.htm
    http://www.catb.org/~esr/faqs/smart-questions.html

    You can have peace. Or you can have freedom. Don't ever count on having
    both at once. - RAH
  6. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    That's like being taking a group of 20 children to the amusement park, then
    letting them run loose and hoping they come back. Not very responsible.
    It's often done in development environments, but believe me there are better
    practical ways. Giving everyone admin rights can wreak havok on network
    security.

    My personal favorite is how local administrators can see in plain c l e a r
    t e x t all of the service account passwords on the machine.

    Consider the following scenario which I have personally taken advantage of
    100 times at various client networks, and extremely large ones.
    1. Domain administrators need to run backup software across the network
    2. Backup software needs to install a backup agent "service" on every
    workstation
    3. This service runs as a Domain Admin account
    4. Where is that Domain Admin password stored now? If you guessed in the
    "protected" Registry of every workstation, you're right! Furthermore, any
    administrator of any workstation can easily access that password in plain
    clear text.

    There, now everyone's a Domain Admin - is that productivity?

    /Chris


    "Philip Nunn" <bigphil@newsgroups.nospam> wrote in message
    news:eVmeUhc8EHA.3476@TK2MSFTNGP15.phx.gbl...
    > Hello everyone,
    >
    > I would like everyones opinion on a subject of extreme importance to me.
    > Right now my companies computers are setup so that all users are ONLY
    > members of the local users group to enforce security accross the network,
    > reduce support costs and is an overal good practice to follow. This is
    > all about to change for me. We are in the process of consolodating domain
    > and with this my IT managers want to add everyone to make them members of
    > the local administrators group!!! I strongly disagree with this and did
    > not make this recommendation. I am trying to prevent this from happening
    > to my network as I dont think this is in the best interest for the
    > network/company. Please give me your opinions on this and what your
    > companies do. Any links to articles with reasons why this is not a good
    > idea would be greatly appreciated and MVP/MSFT person's opinions would be
    > great!
    >
    > Phil
    >
  7. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Thanks for all the good input guys! I will print this out and let them read
    what the real pro's thought about this idea!

    Thanks,

    Phil

    "Chris Weber [Security MVP]" <chris@dev.nul> wrote in message
    news:%23$2ocpv8EHA.1524@TK2MSFTNGP09.phx.gbl...
    > That's like being taking a group of 20 children to the amusement park,
    > then letting them run loose and hoping they come back. Not very
    > responsible. It's often done in development environments, but believe me
    > there are better practical ways. Giving everyone admin rights can wreak
    > havok on network security.
    >
    > My personal favorite is how local administrators can see in plain c l e a
    > r t e x t all of the service account passwords on the machine.
    >
    > Consider the following scenario which I have personally taken advantage of
    > 100 times at various client networks, and extremely large ones.
    > 1. Domain administrators need to run backup software across the network
    > 2. Backup software needs to install a backup agent "service" on every
    > workstation
    > 3. This service runs as a Domain Admin account
    > 4. Where is that Domain Admin password stored now? If you guessed in the
    > "protected" Registry of every workstation, you're right! Furthermore, any
    > administrator of any workstation can easily access that password in plain
    > clear text.
    >
    > There, now everyone's a Domain Admin - is that productivity?
    >
    > /Chris
    >
    >
    >
    > "Philip Nunn" <bigphil@newsgroups.nospam> wrote in message
    > news:eVmeUhc8EHA.3476@TK2MSFTNGP15.phx.gbl...
    >> Hello everyone,
    >>
    >> I would like everyones opinion on a subject of extreme importance to me.
    >> Right now my companies computers are setup so that all users are ONLY
    >> members of the local users group to enforce security accross the network,
    >> reduce support costs and is an overal good practice to follow. This is
    >> all about to change for me. We are in the process of consolodating
    >> domain and with this my IT managers want to add everyone to make them
    >> members of the local administrators group!!! I strongly disagree with
    >> this and did not make this recommendation. I am trying to prevent this
    >> from happening to my network as I dont think this is in the best interest
    >> for the network/company. Please give me your opinions on this and what
    >> your companies do. Any links to articles with reasons why this is not a
    >> good idea would be greatly appreciated and MVP/MSFT person's opinions
    >> would be great!
    >>
    >> Phil
    >>
    >
    >
Ask a new question

Read More

Security Microsoft Windows XP