Comments appreciated on locking down worksations.

[Smelly]

Right now our 450 win2k pro users on our domain are all local
administrators. I realize this is not the brightest way to setup a secure
network environment. However, we are constantly having to uninstall and
reinstall software on users machines to fix problematic software. So I
think I came up with a solution.

Make all users standard users.
1. Put a shorcut to runas.exe in the send to menu on all workstations.
2. In the target I put c:\winnt\system32\runas.exe
/user:[domain]\administrator.
3. That I way all I have to do while logged on as a standard user, is right
click on the software install->send to->runas. It will then prompt for the
administrator password and away the install goes.

I was just wondering if there is any gotchas with doing this and also
checking to see if anybody else has a better solution.

All comments welcome

 

[Guest]

Either the admin has to come over and type the password (a
little easier than letting the admin install, but still a
nuiscance) or you just gave them the admin password. That
is a small gotcha, but they can log in as admin now if
they can find the account name, not too hard if the
usermanager is working for them. Also keyloggers or simply
watching you type can get them the password. Of course,
the good employees are not a problem, but it only takes
one to break your security. I think you can make a group
and give them install permissions, but the activities of
some installer programs could still result in problems.

 

[Smelly]

It would only be our user support who use VNC to control the users desktops
who will use the runas. It makes it easier for them and the user if they do
not have to log out. Luckily they will not be able to see them type.

Either the admin has to come over and type the password (a
little easier than letting the admin install, but still a
nuiscance) or you just gave them the admin password. That
is a small gotcha, but they can log in as admin now if
they can find the account name, not too hard if the
usermanager is working for them. Also keyloggers or simply
watching you type can get them the password. Of course,
the good employees are not a problem, but it only takes
one to break your security. I think you can make a group
and give them install permissions, but the activities of
some installer programs could still result in problems.

-----Original Message-----
Right now our 450 win2k pro users on our domain are all local
administrators. I realize this is not the brightest way to setup a secure
network environment. However, we are constantly having to uninstall and
reinstall software on users machines to fix problematic software. So I
think I came up with a solution.

Make all users standard users.
1. Put a shorcut to runas.exe in the send to menu on all workstations.
2. In the target I put c:\winnt\system32\runas.exe
/user:[domain]\administrator.
3. That I way all I have to do while logged on as a standard user, is right
click on the software install->send to->runas. It will then prompt for the
administrator password and away the install goes.

I was just wondering if there is any gotchas with doing this and also
checking to see if anybody else has a better solution.

All comments welcome


.