Security best practice help!!! local admin addition!

G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hello everyone,

I would like everyones opinion on a subject of extreme importance to me.
Right now my companies computers are setup so that all users are ONLY
members of the local users group to enforce security accross the network,
reduce support costs and is an overal good practice to follow. This is all
about to change for me. We are in the process of consolodating domain and
with this my IT managers want to add everyone to make them members of the
local administrators group!!! I strongly disagree with this and did not
make this recommendation. I am trying to prevent this from happening to my
network as I dont think this is in the best interest for the
network/company. Please give me your opinions on this and what your
companies do. Any links to articles with reasons why this is not a good
idea would be greatly appreciated and MVP/MSFT person's opinions would be
great!

Phil
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

What is the reason they are giving for making everyone local admin?

DDS W 2k MVP MCSE

"Philip Nunn" <bigphil@newsgroups.nospam> wrote in message
news:eVmeUhc8EHA.3476@TK2MSFTNGP15.phx.gbl...
> Hello everyone,
>
> I would like everyones opinion on a subject of extreme importance to me.
> Right now my companies computers are setup so that all users are ONLY
> members of the local users group to enforce security accross the network,
> reduce support costs and is an overal good practice to follow. This is
all
> about to change for me. We are in the process of consolodating domain and
> with this my IT managers want to add everyone to make them members of the
> local administrators group!!! I strongly disagree with this and did not
> make this recommendation. I am trying to prevent this from happening to
my
> network as I dont think this is in the best interest for the
> network/company. Please give me your opinions on this and what your
> companies do. Any links to articles with reasons why this is not a good
> idea would be greatly appreciated and MVP/MSFT person's opinions would be
> great!
>
> Phil
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

They say it will decrease support costs (dont ask me how they came to that
conclusion. They have gotten some REALLY bad information from several
individuals here).

Phil

"Danny Sanders" <Danny.Sanders@NO-SPAMcpcmed.org> wrote in message
news:e4Geplc8EHA.1524@TK2MSFTNGP09.phx.gbl...
> What is the reason they are giving for making everyone local admin?
>
> DDS W 2k MVP MCSE
>
> "Philip Nunn" <bigphil@newsgroups.nospam> wrote in message
> news:eVmeUhc8EHA.3476@TK2MSFTNGP15.phx.gbl...
>> Hello everyone,
>>
>> I would like everyones opinion on a subject of extreme importance to me.
>> Right now my companies computers are setup so that all users are ONLY
>> members of the local users group to enforce security accross the network,
>> reduce support costs and is an overal good practice to follow. This is
> all
>> about to change for me. We are in the process of consolodating domain
>> and
>> with this my IT managers want to add everyone to make them members of the
>> local administrators group!!! I strongly disagree with this and did not
>> make this recommendation. I am trying to prevent this from happening to
> my
>> network as I dont think this is in the best interest for the
>> network/company. Please give me your opinions on this and what your
>> companies do. Any links to articles with reasons why this is not a good
>> idea would be greatly appreciated and MVP/MSFT person's opinions would be
>> great!
>>
>> Phil
>>
>>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

> They say it will decrease support costs

Considering the fact that elevation of privileges (getting admin privileges)
is one step a hacker will attempt after getting access to a system, they
will succeed in cutting down the work a hacker has to do.

Considering the fact that if a user clicked on a virus, the virus will run
under the user's account. If that user has admin privileges for that
computer, they can format the C drive. A virus running under that user's
account can also.

This also does not conform to MS best practices. You should give users the
least amount of permission required to do their job.

As local admin the user can change settings to take the computer completely
off the network. I can't see how making them local admin can do anything
except cause more work.


hth
DDS W 2k MVP MCSE

"Philip Nunn" <bigphil@newsgroups.nospam> wrote in message
news:uLwdVpc8EHA.2180@TK2MSFTNGP12.phx.gbl...
> They say it will decrease support costs (dont ask me how they came to that
> conclusion. They have gotten some REALLY bad information from several
> individuals here).
>
> Phil
>
> "Danny Sanders" <Danny.Sanders@NO-SPAMcpcmed.org> wrote in message
> news:e4Geplc8EHA.1524@TK2MSFTNGP09.phx.gbl...
> > What is the reason they are giving for making everyone local admin?
> >
> > DDS W 2k MVP MCSE
> >
> > "Philip Nunn" <bigphil@newsgroups.nospam> wrote in message
> > news:eVmeUhc8EHA.3476@TK2MSFTNGP15.phx.gbl...
> >> Hello everyone,
> >>
> >> I would like everyones opinion on a subject of extreme importance to
me.
> >> Right now my companies computers are setup so that all users are ONLY
> >> members of the local users group to enforce security accross the
network,
> >> reduce support costs and is an overal good practice to follow. This is
> > all
> >> about to change for me. We are in the process of consolodating domain
> >> and
> >> with this my IT managers want to add everyone to make them members of
the
> >> local administrators group!!! I strongly disagree with this and did
not
> >> make this recommendation. I am trying to prevent this from happening
to
> > my
> >> network as I dont think this is in the best interest for the
> >> network/company. Please give me your opinions on this and what your
> >> companies do. Any links to articles with reasons why this is not a
good
> >> idea would be greatly appreciated and MVP/MSFT person's opinions would
be
> >> great!
> >>
> >> Phil
> >>
> >>
> >
> >
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

> This also does not conform to MS best practices. You should give users
> the least amount of permission required to do their job.

Danny is correct, allowing users to be local admins is against our recommendations.

Furthermore: in the vast majority of cases, massive network-wide infections
happen because users run as local admins. Our customers who don't do this
generally don't have problems with worms and viruses.

Consider making an economic argument, which might help. If you switch to
all local admins, and next week some worm comes out, and every single one
of your computers gets whacked, determine what it would cost to recover from
that. Be sure to include your salary (converted to an hourly wage), the median
salaries of every employee (again converted to hourly), an estimate of the
amout of lost business, and the costs of delaying any other work.

Steve Riley
steriley@microsoft.com



>> They say it will decrease support costs
>>
> Considering the fact that elevation of privileges (getting admin
> privileges) is one step a hacker will attempt after getting access to
> a system, they will succeed in cutting down the work a hacker has to
> do.
>
> Considering the fact that if a user clicked on a virus, the virus will
> run under the user's account. If that user has admin privileges for
> that computer, they can format the C drive. A virus running under that
> user's account can also.
>
> This also does not conform to MS best practices. You should give users
> the least amount of permission required to do their job.
>
> As local admin the user can change settings to take the computer
> completely off the network. I can't see how making them local admin
> can do anything except cause more work.
>
> hth
> DDS W 2k MVP MCSE
> "Philip Nunn" <bigphil@newsgroups.nospam> wrote in message
> news:uLwdVpc8EHA.2180@TK2MSFTNGP12.phx.gbl...
>
>> They say it will decrease support costs (dont ask me how they came to
>> that conclusion. They have gotten some REALLY bad information from
>> several individuals here).
>>
>> Phil
>>
>> "Danny Sanders" <Danny.Sanders@NO-SPAMcpcmed.org> wrote in message
>> news:e4Geplc8EHA.1524@TK2MSFTNGP09.phx.gbl...
>>
>>> What is the reason they are giving for making everyone local admin?
>>>
>>> DDS W 2k MVP MCSE
>>>
>>> "Philip Nunn" <bigphil@newsgroups.nospam> wrote in message
>>> news:eVmeUhc8EHA.3476@TK2MSFTNGP15.phx.gbl...
>>>
>>>> Hello everyone,
>>>>
>>>> I would like everyones opinion on a subject of extreme importance
>>>> to
>>>>
> me.
>
>>>> Right now my companies computers are setup so that all users are
>>>> ONLY members of the local users group to enforce security accross
>>>> the
>>>>
> network,
>
>>>> reduce support costs and is an overal good practice to follow.
>>>> This is
>>>>
>>> all
>>>
>>>> about to change for me. We are in the process of consolodating
>>>> domain
>>>> and
>>>> with this my IT managers want to add everyone to make them members
>>>> of
> the
>
>>>> local administrators group!!! I strongly disagree with this and
>>>> did
>>>>
> not
>
>>>> make this recommendation. I am trying to prevent this from
>>>> happening
>>>>
> to
>
>>> my
>>>
>>>> network as I dont think this is in the best interest for the
>>>> network/company. Please give me your opinions on this and what
>>>> your companies do. Any links to articles with reasons why this is
>>>> not a
>>>>
> good
>
>>>> idea would be greatly appreciated and MVP/MSFT person's opinions
>>>> would
>>>>
> be
>
>>>> great!
>>>>
>>>> Phil
>>>>
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Philip Nunn wrote:
> Hello everyone,
>
> I would like everyones opinion on a subject of extreme importance to me.
> Right now my companies computers are setup so that all users are ONLY
> members of the local users group to enforce security accross the network,
> reduce support costs and is an overal good practice to follow. This is all
> about to change for me. We are in the process of consolodating domain and
> with this my IT managers want to add everyone to make them members of the
> local administrators group!!! I strongly disagree with this and did not
> make this recommendation. I am trying to prevent this from happening to my
> network as I dont think this is in the best interest for the
> network/company. Please give me your opinions on this and what your
> companies do. Any links to articles with reasons why this is not a good
> idea would be greatly appreciated and MVP/MSFT person's opinions would be
> great!
>
> Phil
>
>


As long as your management is also planning to triple your IT staff to
clean up behind everyone, it should be their decision.

--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

That's like being taking a group of 20 children to the amusement park, then
letting them run loose and hoping they come back. Not very responsible.
It's often done in development environments, but believe me there are better
practical ways. Giving everyone admin rights can wreak havok on network
security.

My personal favorite is how local administrators can see in plain c l e a r
t e x t all of the service account passwords on the machine.

Consider the following scenario which I have personally taken advantage of
100 times at various client networks, and extremely large ones.
1. Domain administrators need to run backup software across the network
2. Backup software needs to install a backup agent "service" on every
workstation
3. This service runs as a Domain Admin account
4. Where is that Domain Admin password stored now? If you guessed in the
"protected" Registry of every workstation, you're right! Furthermore, any
administrator of any workstation can easily access that password in plain
clear text.

There, now everyone's a Domain Admin - is that productivity?

/Chris



"Philip Nunn" <bigphil@newsgroups.nospam> wrote in message
news:eVmeUhc8EHA.3476@TK2MSFTNGP15.phx.gbl...
> Hello everyone,
>
> I would like everyones opinion on a subject of extreme importance to me.
> Right now my companies computers are setup so that all users are ONLY
> members of the local users group to enforce security accross the network,
> reduce support costs and is an overal good practice to follow. This is
> all about to change for me. We are in the process of consolodating domain
> and with this my IT managers want to add everyone to make them members of
> the local administrators group!!! I strongly disagree with this and did
> not make this recommendation. I am trying to prevent this from happening
> to my network as I dont think this is in the best interest for the
> network/company. Please give me your opinions on this and what your
> companies do. Any links to articles with reasons why this is not a good
> idea would be greatly appreciated and MVP/MSFT person's opinions would be
> great!
>
> Phil
>
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Thanks for all the good input guys! I will print this out and let them read
what the real pro's thought about this idea!

Thanks,

Phil

"Chris Weber [Security MVP]" <chris@dev.nul> wrote in message
news:%23$2ocpv8EHA.1524@TK2MSFTNGP09.phx.gbl...
> That's like being taking a group of 20 children to the amusement park,
> then letting them run loose and hoping they come back. Not very
> responsible. It's often done in development environments, but believe me
> there are better practical ways. Giving everyone admin rights can wreak
> havok on network security.
>
> My personal favorite is how local administrators can see in plain c l e a
> r t e x t all of the service account passwords on the machine.
>
> Consider the following scenario which I have personally taken advantage of
> 100 times at various client networks, and extremely large ones.
> 1. Domain administrators need to run backup software across the network
> 2. Backup software needs to install a backup agent "service" on every
> workstation
> 3. This service runs as a Domain Admin account
> 4. Where is that Domain Admin password stored now? If you guessed in the
> "protected" Registry of every workstation, you're right! Furthermore, any
> administrator of any workstation can easily access that password in plain
> clear text.
>
> There, now everyone's a Domain Admin - is that productivity?
>
> /Chris
>
>
>
> "Philip Nunn" <bigphil@newsgroups.nospam> wrote in message
> news:eVmeUhc8EHA.3476@TK2MSFTNGP15.phx.gbl...
>> Hello everyone,
>>
>> I would like everyones opinion on a subject of extreme importance to me.
>> Right now my companies computers are setup so that all users are ONLY
>> members of the local users group to enforce security accross the network,
>> reduce support costs and is an overal good practice to follow. This is
>> all about to change for me. We are in the process of consolodating
>> domain and with this my IT managers want to add everyone to make them
>> members of the local administrators group!!! I strongly disagree with
>> this and did not make this recommendation. I am trying to prevent this
>> from happening to my network as I dont think this is in the best interest
>> for the network/company. Please give me your opinions on this and what
>> your companies do. Any links to articles with reasons why this is not a
>> good idea would be greatly appreciated and MVP/MSFT person's opinions
>> would be great!
>>
>> Phil
>>
>
>