Security best practice help!!! local admin addition!

[Philip Nunn]

Hello everyone,

I would like everyones opinion on a subject of extreme importance to me.
Right now my companies computers are setup so that all users are ONLY
members of the local users group to enforce security accross the network,
reduce support costs and is an overal good practice to follow. This is all
about to change for me. We are in the process of consolodating domain and
with this my IT managers want to add everyone to make them members of the
local administrators group!!! I strongly disagree with this and did not
make this recommendation. I am trying to prevent this from happening to my
network as I dont think this is in the best interest for the
network/company. Please give me your opinions on this and what your
companies do. Any links to articles with reasons why this is not a good
idea would be greatly appreciated and MVP/MSFT person's opinions would be
great!

Phil

 

[Danny Sanders]

What is the reason they are giving for making everyone local admin?

DDS W 2k MVP MCSE

 

[Philip Nunn]

They say it will decrease support costs (dont ask me how they came to that
conclusion. They have gotten some REALLY bad information from several
individuals here).

Phil

 

[Danny Sanders]

They say it will decrease support costs

Considering the fact that elevation of privileges (getting admin privileges)
is one step a hacker will attempt after getting access to a system, they
will succeed in cutting down the work a hacker has to do.

Considering the fact that if a user clicked on a virus, the virus will run
under the user's account. If that user has admin privileges for that
computer, they can format the C drive. A virus running under that user's
account can also.

This also does not conform to MS best practices. You should give users the
least amount of permission required to do their job.

As local admin the user can change settings to take the computer completely
off the network. I can't see how making them local admin can do anything
except cause more work.


hth
DDS W 2k MVP MCSE

 

[Steve Riley [MSFT]]

This also does not conform to MS best practices. You should give users

the least amount of permission required to do their job.

Danny is correct, allowing users to be local admins is against our recommendations.

Furthermore: in the vast majority of cases, massive network-wide infections
happen because users run as local admins. Our customers who don't do this
generally don't have problems with worms and viruses.

Consider making an economic argument, which might help. If you switch to
all local admins, and next week some worm comes out, and every single one
of your computers gets whacked, determine what it would cost to recover from
that. Be sure to include your salary (converted to an hourly wage), the median
salaries of every employee (again converted to hourly), an estimate of the
amout of lost business, and the costs of delaying any other work.

Steve Riley
(e-mail address removed)

 

[Bruce Chambers]

Hello everyone,

I would like everyones opinion on a subject of extreme importance to me.
Right now my companies computers are setup so that all users are ONLY
members of the local users group to enforce security accross the network,
reduce support costs and is an overal good practice to follow. This is all
about to change for me. We are in the process of consolodating domain and
with this my IT managers want to add everyone to make them members of the
local administrators group!!! I strongly disagree with this and did not
make this recommendation. I am trying to prevent this from happening to my
network as I dont think this is in the best interest for the
network/company. Please give me your opinions on this and what your
companies do. Any links to articles with reasons why this is not a good
idea would be greatly appreciated and MVP/MSFT person's opinions would be
great!

Phil

As long as your management is also planning to triple your IT staff to
clean up behind everyone, it should be their decision.

--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

 

[Chris Weber [Security MVP]]

That's like being taking a group of 20 children to the amusement park, then
letting them run loose and hoping they come back. Not very responsible.
It's often done in development environments, but believe me there are better
practical ways. Giving everyone admin rights can wreak havok on network
security.

My personal favorite is how local administrators can see in plain c l e a r
t e x t all of the service account passwords on the machine.

Consider the following scenario which I have personally taken advantage of
100 times at various client networks, and extremely large ones.
1. Domain administrators need to run backup software across the network
2. Backup software needs to install a backup agent "service" on every
workstation
3. This service runs as a Domain Admin account
4. Where is that Domain Admin password stored now? If you guessed in the
"protected" Registry of every workstation, you're right! Furthermore, any
administrator of any workstation can easily access that password in plain
clear text.

There, now everyone's a Domain Admin - is that productivity?

/Chris

 

[Philip Nunn]

Thanks for all the good input guys! I will print this out and let them read
what the real pro's thought about this idea!

Thanks,

Phil