Windows Security

Archived from groups: microsoft.public.win2000.security (More info?)

Hello,

My name is Freddy Bhagalia. I am working as a System Administrator in an
Organisation. We are into Freight Forwarding business. We have 300 plus
Computers in our Organisation and I am the Administrator of these Computers.

I was having a technical discussion with my boss (CIO of the Company). The
discussion was on "Should we give Administrator rights of the local Computer,
to the User who is the owner of that Computer.

He thinks that we should give all the Users, Administrator rights.

I am extremely against this and am arguably not in favour of that. According
to me if the Admin rights of the Computer is been given to the Users, they
can put serious problems to their own Computers and the Network. Ultimately,
the Administrator has to face the music of the Users doings.

Please let me know your views on the same as I am in a fix, on to go about
what my boss had asked me for or should I be firm on my statement to my boss
“Not to give Administrator Rights to the Users".

Regards

Freddy.Bhagalia

Jan 22

email add: freddy@writercorporation.com
3 answers Last reply
More about windows security
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Freddy.

    I agree with you that unless there is a compelling reason regular domain
    users should not be local administrators on their computers. Being a local
    administrator does not give that user any special powers in the domain but
    they can certainly screw up their computers in the following ways as
    examples.

    -- Delaying/denying the install of critical updates.
    -- Installing unauthorized software including fileswap programs and
    alternate web browsers.
    -- Unjoining the computer from the domain or creating a local account to
    logon to for the purpose of avoiding Group Policy or scripts.
    -- Modifying the HKLM registry for whatever stupid reason they read or hear
    about.
    -- Reconfiguring tcp/ip settings.
    -- Playing around with service settings.
    -- Disabling, modifying settings, for or uninstalling antivirus programs.
    -- More potential for malware such as trojans if operating the computer as
    an administrator.
    -- Modifying or disabling any personal firewalls.
    -- Removing the domain admins group from the local administrators group in
    an attempt to lock you out.
    -- Enabling unauthorized services such as IIS or telent that can be a
    security risk.
    -- Modifying users/groups and access control lists to allow unauthorized
    users access to the computer.
    -- Changing the system time which can cause problems with kerberos.

    The list goes on but that should be a good start. If he insists tell him you
    are going to need a much larger budget to support the problems that will
    ensue including possible large increases in malware attacks on all the
    computers in the network from an infected computer and for rebuilding
    misconfigured and infected workstations. --- Steve


    "Freddy" <Freddy@discussions.microsoft.com> wrote in message
    news:2D31106B-9E9B-4211-B26D-514EE6E467E9@microsoft.com...
    > Hello,
    >
    > My name is Freddy Bhagalia. I am working as a System Administrator in an
    > Organisation. We are into Freight Forwarding business. We have 300 plus
    > Computers in our Organisation and I am the Administrator of these
    > Computers.
    >
    > I was having a technical discussion with my boss (CIO of the Company). The
    > discussion was on "Should we give Administrator rights of the local
    > Computer,
    > to the User who is the owner of that Computer.
    >
    > He thinks that we should give all the Users, Administrator rights.
    >
    > I am extremely against this and am arguably not in favour of that.
    > According
    > to me if the Admin rights of the Computer is been given to the Users, they
    > can put serious problems to their own Computers and the Network.
    > Ultimately,
    > the Administrator has to face the music of the Users doings.
    >
    > Please let me know your views on the same as I am in a fix, on to go about
    > what my boss had asked me for or should I be firm on my statement to my
    > boss
    > "Not to give Administrator Rights to the Users".
    >
    > Regards
    >
    > Freddy.Bhagalia
    >
    > Jan 22
    >
    > email add: freddy@writercorporation.com
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    When there is use of administrator powers by the client machine
    owner login, it usually derives from one of two things.
    1. the organization recently updated from Win9x and so this is the
    way to simulate what they are used to, were everyone can do
    anything to "their" machine
    or
    2. there are one or more things that cannot, off-the-shelf, be done
    by the users of the machines, and the belief is that they need to
    be able to do it. This may be install software at will, adjust
    the system time, run application X, etc.

    1 is not a good reason. Because one has always lived in a high risk
    fashion is not in itself a good reason to argue that one should continue
    to live in such fashion.

    In the case of 2, some reasons can be removed by spending the time
    to find the way by which a limited account can do the thing. Many
    applications that are resistant to running as non-admin can be made
    to do so. Many thing users believe they should be able to do at will
    are on closer examination, not really needed or unsafe (sort of a
    variant of 1).

    There are very many reasons not to do as you are being asked.
    These include prevention of problems on the desktop which may
    result in loss of productivity and also in loss of corporate private
    information. These also include impacts on the larger environment
    that become possible once one considers the effects from an internal
    and compromised desktop.

    If at all possible, resist. Find out the list of specific reasons why
    they should be admins, and then address each one in turn.
    If you are told they will be admins, then stand your ground on, as
    you have said
    "
    > the Administrator has to face the music of the Users doings.
    "
    that is, If they are admins, let them manage and clean-up their boxes.

    Finally, if you have to do this, do this. However, look around for
    somewhere to work where the environment is supportive of your
    doing your job. Perhaps, when you loose the discussion, and are
    about to do this, you conld advise that they do not need a hired
    full-time network administrator, but they now need (perhap in
    addition) a desktop janitor (and that comment does not include
    impacts on overall networked systems health, server risks, etc.).

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "Freddy" <Freddy@discussions.microsoft.com> wrote in message
    news:2D31106B-9E9B-4211-B26D-514EE6E467E9@microsoft.com...
    > Hello,
    >
    > My name is Freddy Bhagalia. I am working as a System Administrator in an
    > Organisation. We are into Freight Forwarding business. We have 300 plus
    > Computers in our Organisation and I am the Administrator of these
    Computers.
    >
    > I was having a technical discussion with my boss (CIO of the Company). The
    > discussion was on "Should we give Administrator rights of the local
    Computer,
    > to the User who is the owner of that Computer.
    >
    > He thinks that we should give all the Users, Administrator rights.
    >
    > I am extremely against this and am arguably not in favour of that.
    According
    > to me if the Admin rights of the Computer is been given to the Users, they
    > can put serious problems to their own Computers and the Network.
    Ultimately,
    > the Administrator has to face the music of the Users doings.
    >
    > Please let me know your views on the same as I am in a fix, on to go about
    > what my boss had asked me for or should I be firm on my statement to my
    boss
    > "Not to give Administrator Rights to the Users".
    >
    > Regards
    >
    > Freddy.Bhagalia
    >
    > Jan 22
    >
    > email add: freddy@writercorporation.com
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    "Freddy" <Freddy@discussions.microsoft.com> wrote in message
    news:2D31106B-9E9B-4211-B26D-514EE6E467E9@microsoft.com...
    > Hello,
    >
    > My name is Freddy Bhagalia. I am working as a System Administrator in an
    > Organisation. We are into Freight Forwarding business. We have 300 plus
    > Computers in our Organisation and I am the Administrator of these
    > Computers.
    >
    > I was having a technical discussion with my boss (CIO of the Company). The
    > discussion was on "Should we give Administrator rights of the local
    > Computer,
    > to the User who is the owner of that Computer.
    >
    > He thinks that we should give all the Users, Administrator rights.

    Freddy

    I am not a pro nowadays by any means but I do follow the subject and common
    trends.

    Your Boss needs to consider something very important. If you join the IE
    newsgroups you will find that literally thousands of problems are cause by
    "Spyware" and "Adware", that is stuff installed by other programs in order
    to raise revenue for the authors / distributors.

    This if fine until each PC has 3 or 4 such systems installed and then things
    "Seem" to stop working. It's common to say "My IE has quit" but the reality
    is that something has damaged it.

    If you consider 3 ad downloads per hour per machine or whatever there IS an
    impact on network traffic, but the biggest impact will be the fact that
    users with their personal little "Favorites" will have you running around
    like a madman trying to fight "Fires" all over the place.

    Some of these systems are a real pain in the neck to remove, and often
    removal risks loss of connectivity and information.

    Give your boss this link and invite him to see the problems, day in, day
    out.
    news://news.microsoft.com/microsoft.public.windows.inetexplorer.ie6.browser

    I have no problem with users running things for use at breaktimes etc, such
    as Yahoo, or ICQ messengers etc, but even these need to be installed with
    your approval else how can you fix problems if you don't know anything about
    the software. Encourage a friendly rapport with users so they don't mind
    asking you, then you can explain pleasantly any objections you might have.

    You also need to restrict the ability to run unsigned activex controls and
    stuff. I've had very few problems with 2k server or XP yet to some here I
    run "Carelessly" because I allow signed stuff. If you study the IEAK
    (Explorer deployment kit) that can help you set up a consistent network with
    safety restrictions yet still remain flexible if not 100% secure. Of course
    if users have full admin rights they simply undo you precautions and never
    ask if it's safe because they don't have to ask. This is an important
    educational factor because if it won't work and they have to ask you, you
    can explain the risks :)

    There is no "Right or Wrong" here in my humble opinion, it may be good to
    give sensible users admin rights, but there are a lot of problems waiting
    for the unwary.

    Right now I think the biggest single hazard is actually spyware and adware,
    not because it's inherently malicious but because it's bundled with so many
    things and not very well written, it also uses "Exploits" which is not a
    responsible business method.

    Feel free to print this out and invite your boss to visit the IE groups.

    Charlie Tame
    MVP IE/OE (When I can find time)
Ask a new question

Read More

Windows Security Computers Windows