vendor requires users to have "administrator" rights

[david902]

software vendor requires users to have "administrator" rights on their own pc, the is not a very secure way to do things. I've got to prepare a report to the CIO on why we cannot allow. just want to run the list by you all for additional input. these are primarily from the local policy and domain policy editors.

Probable on local machine

Backup directories
Create/manipulate page file
Debug programs
Force shutdown of remote systems
Increase quotas
Increase scheduling priorities
Load and unload device drivers
Manage auditing and security logs
Modify firmware environment variables
The user can modify system environment variables (not user environment variables).
The user can use Windows NT profiling capabilities to observe the system.
Restore files and directories
Take ownership of files or other objects
Allowed to eject removable NTFS media

Possible within the domain

Access any computer on the network
Add new computers to the domain
Change system time

--

please add your input, thanks.

 

[pixboy]

At least one overall thing you could add to the list -- if a user is a local administrator, they can add and remove any software they like. I don't know how many machines you manage, but that can present a support nightmare if allowed to happen.

Tell your CIO that allowing users to do virtually anything they want on their own machines increases support costs. Support personnel must first determine if user-installed software is causing problems before determining a course of action.

 

[JJKent]

How about loading a password hash cracker and breaking your 'local admin' password on the machine. Do you use different local admin passwords on every machine?

How about kicking off all the other users or even the 'domain admins' off the machine. Now you can't log in locally and can't even connect with any other account.

 

[Kjonnnn]

Well we give the users ADMIN rights on their machines and user rights on the network with no problem or added work.

Im missing the big deal ... unless your company is anal about micro managing.

 

[djhawthorn]

If you're a local admin you can do anything to the local machine - including denying access to the domain administrator (remove Domain Admins from the local Admin group).

I've had this done to me before. They can remove the PC from the domain, install anything they like (including devices such as modems - which means they can add insecure entry points to the domain/network), and generally cause a lot of headaches for the IT staff.

Unless there is a very valid, and very needed requirement for a user to have Administrator access, they shouldn't have it. Administrator access is exactly that - for the Administrator. MCSE NT4/W2K

 

[Kjonnnn]

Well it works better for me being the only one, and good number of people here are computer savvy. What I dont want on a machine I take and tell not to do it again. With users having absolutely no rights makes my day longer.

Plus, I can still get in through the local admin account.

Had one know it all who wanted disobey me, so he reformated his computer and installed NT Advance Server. So I disabled his account and told his boss. He knows better now. If there Admin on their computer and just user on the network they cant do anything they want anyway.

 

[jtb]

Security... any vendor not concerned with security after 9-11 ought to be suspect anyway...

"Dollarize" your report to the CIO... estimate like this:

15% more problems = 15% less productivity for worker
and 15% more support costs.

If loaded user costs = $35,000/year/FTE, 15% = $5,250.00
If loaded support = $50,000/year/FTE, 15% = $6,000.00

If 100 employees will use the application, the additional costs for this application will effectively be $1,125,000/year.

Please feel free to fill in your numbers...

"TCO studies 'r' us"...
JTB
Solutions Architect
MCSE-NT4, MCP+I, MCP-W2K, CCNA, CCDA,
CTE, MCIWD, i-Net+, Network+
(MCSA, MCSE-W2K, MCIWA, SCSA, SCNA in progress)