I don't understand how your comment abut certification programs is germane to the discussion? You make the assumption that this is about administrator power-tripping, when in fact it is about what is best for the business (or organization).
I would never lock down a machine in such a way to keep a user from doing their work. I will bend over backwards to make sure that people are in no way limited from getting their work done. But, it's not a given that locking down a machine keeps people from doing their work. It may be in your particular case and in that case I would grant the necessary rights. But in my experience, with the type of users I work with, in the business I am in, restricting user rights does not in any way keep people from getting their work done.
Most of my users don't know how to minimize a window, and can't figure out how to log in if their username isn't already typed on the first line of the logon screen. These same people will install programs sent to them by anonymous e-mail without a second thought, with no consideration whatsoever of whether it is work-related. Giving these people full access to a windows computer attached to a network is like giving a toddler a loaded gun.
Discussion on:
users with administrator privilege
View:
Show:
I spent a lot of time reading all the replies and there is a ton of great information here. One thing I highly agree with is to not let on that you are restricting their access while you are actually restricting them.
Here is an example of what I'm talking about:
Many years ago (back in Windows 3.11 days) I became the IS Manager for a company which was in an identical situation. Back then you couldn't really help it. But then Windows 95 came on the scene with a little more security options. And I do mean "little". But there were enough options with user accounts that would allow me the ability to semi-lockdown accounts. The rest I would handle with Novell security and later Windows NT Server.
First I went around to each of the department heads and asked them what areas of the network, servers, printers, programs, files, etc. I needed to restrict the rest of the company from but allow their people access to. I sat down with the manager or director of each division or group and created a security template with them. I presented it to them with the understanding of securing their group/dept people and work from everyone else?s mistakes or mishaps with viruses, wandering eyes and all that stuff. After working it out with the Dir/Mgr I informed him/her that I would go see what I can do and get back to them.
Remember, the key here is that I worked with the dept head. So of course I went straight back to them with their proposed security plan and explained that in adding these security measures to prevent others from impacting them I would be unable to avoid impacting some of the access their dept may have been accustomed to having. I cautiously and thoroughly explained that their dept would function without issue as they have in the past and the limitations would be limited to things like not being able to freely install applications, programs, hardware, printers. I carefully explained that these things that I should do for them so we know it is done right with the new security model.
After getting the dept head approval, I asked them to sign it. I explained why, I told them ?this way I had your written blessing if anyone comes complaining about not being able to install a new screensaver, game, or whatever on their workstation?. I was surprised to hear the dept head say the following and I quote (I?ll never forget this one) ?If anyone complains about something like that, I want to know since that tells me they aren?t doing their job?. You could have knocked me over with a feather. My plan worked. They bought the securing your dept from everyone else angle hook line and sinker.
Now with today?s security capabilities you have to chose from, there is much more you can do but keep in mind you want them to feel like you are helping them?not limiting them.
I hope this helps.
Here is an example of what I'm talking about:
Many years ago (back in Windows 3.11 days) I became the IS Manager for a company which was in an identical situation. Back then you couldn't really help it. But then Windows 95 came on the scene with a little more security options. And I do mean "little". But there were enough options with user accounts that would allow me the ability to semi-lockdown accounts. The rest I would handle with Novell security and later Windows NT Server.
First I went around to each of the department heads and asked them what areas of the network, servers, printers, programs, files, etc. I needed to restrict the rest of the company from but allow their people access to. I sat down with the manager or director of each division or group and created a security template with them. I presented it to them with the understanding of securing their group/dept people and work from everyone else?s mistakes or mishaps with viruses, wandering eyes and all that stuff. After working it out with the Dir/Mgr I informed him/her that I would go see what I can do and get back to them.
Remember, the key here is that I worked with the dept head. So of course I went straight back to them with their proposed security plan and explained that in adding these security measures to prevent others from impacting them I would be unable to avoid impacting some of the access their dept may have been accustomed to having. I cautiously and thoroughly explained that their dept would function without issue as they have in the past and the limitations would be limited to things like not being able to freely install applications, programs, hardware, printers. I carefully explained that these things that I should do for them so we know it is done right with the new security model.
After getting the dept head approval, I asked them to sign it. I explained why, I told them ?this way I had your written blessing if anyone comes complaining about not being able to install a new screensaver, game, or whatever on their workstation?. I was surprised to hear the dept head say the following and I quote (I?ll never forget this one) ?If anyone complains about something like that, I want to know since that tells me they aren?t doing their job?. You could have knocked me over with a feather. My plan worked. They bought the securing your dept from everyone else angle hook line and sinker.
Now with today?s security capabilities you have to chose from, there is much more you can do but keep in mind you want them to feel like you are helping them?not limiting them.
I hope this helps.
Ah yes the age old issue of saving our users from themselves. GPO's are a wonderful thing.
2 years ago i set out to upgraded all of our computer to XP. At the same time I Deployed the the use of GPO's secure the computers once deployed in our environment. Prior to this upgrade we would spend countless hours fixing issues caused by the classic "I don't know what happened" or " I just clicked in that". But you already are probably experiencing that.
I presented my case. How many hours could be saved by not having to rebuild computers after the users tried to install whatever application, or other "Business use application" they thought they might want to use only to uninstall and try another. Kinda like the smily's to make thier email cute. OK seriously.
Remember we are protecting the computers from malicious activity not preventing people from doing their work. This argument seemed to go far.
We submitted a list of known applications used in our company. This list was confirmed with each department manager. Any new applications would be tested in the lab first by an IT tech and confirmed by the employee to see if it meets their needs.
We proposed to lock down to prevent writing to the registry and the windows directory. This will prevent any virus writing to those locations. (I have only had to rebuild one computer in 2 years and that was due to a virus on a lab computer that is not under the GPO) I have since blocked any computer that is not under GPO from accessing the internet.
On a side note: This has also made our SOX compliance audit easier since we can prove control over the systems.
Hope that helps getting you in the right direction with the powers to be.
2 years ago i set out to upgraded all of our computer to XP. At the same time I Deployed the the use of GPO's secure the computers once deployed in our environment. Prior to this upgrade we would spend countless hours fixing issues caused by the classic "I don't know what happened" or " I just clicked in that". But you already are probably experiencing that.
I presented my case. How many hours could be saved by not having to rebuild computers after the users tried to install whatever application, or other "Business use application" they thought they might want to use only to uninstall and try another. Kinda like the smily's to make thier email cute. OK seriously.
Remember we are protecting the computers from malicious activity not preventing people from doing their work. This argument seemed to go far.
We submitted a list of known applications used in our company. This list was confirmed with each department manager. Any new applications would be tested in the lab first by an IT tech and confirmed by the employee to see if it meets their needs.
We proposed to lock down to prevent writing to the registry and the windows directory. This will prevent any virus writing to those locations. (I have only had to rebuild one computer in 2 years and that was due to a virus on a lab computer that is not under the GPO) I have since blocked any computer that is not under GPO from accessing the internet.
On a side note: This has also made our SOX compliance audit easier since we can prove control over the systems.
Hope that helps getting you in the right direction with the powers to be.
Storch
What type of network do you run at this company? Is it routed or are you all under one subnet? how are these priveleges handled? Is the info you/they handle sensitive?
What we have done is to make people admins of their 'own' computer and have the ability to log in any where on the network but not as admins but users who would have access to things like email and their own personal files. Just a suuggestion but instead of trying to 'take it all away', sell the idea of total control on a machine with total lan access on all. This make s for great or at least a much more secure network.
What type of network do you run at this company? Is it routed or are you all under one subnet? how are these priveleges handled? Is the info you/they handle sensitive?
What we have done is to make people admins of their 'own' computer and have the ability to log in any where on the network but not as admins but users who would have access to things like email and their own personal files. Just a suuggestion but instead of trying to 'take it all away', sell the idea of total control on a machine with total lan access on all. This make s for great or at least a much more secure network.
If there not willing to listen to reason you can always slow down repairs and when they ask whats going on just repliy I have to figure out what so-so did to repair it this is particuarly use full with servers (mail or file) people tend to take notice when it directly effects them.
it is apparent that your company does not handle important/critical information or what ever. 1. management may not be aware of government regulations (the red tape that is going get someone gummed up). quit that job and go work for social security where you are the only one with admin privilege and you will rest better tonight.
1) Find out what the accepted practice is for companies of similar size in the same industry. Tailor your expectations accordingly. You will not gain support from management and end-users if you are attempting to implement a policy that is excessively strict when compared with your industry peers.
2) Conduct a survey of users to determine why they believe they must have admin privileges. Too often, full admin rights are granted as a quick and dirty fix to a problem. For example, an application that didn't work correctly was "fixed" by granting full admin rights to a user instead of tweaking folder permissions. The important thing is you want to understand your users' perceived needs and come up with an acceptable solution that doesn't require the use of admin rights.
3) Begin documenting incidents involving inappropriate or careless use of admin rights by end-users. Each incident should include a description of how the business was exposed to actual or potential harm by the user's action. You can talk all you want about how unrestricted admin rights will cause problems, showing documented proof will make your case alot more compelling.
4) Begin to build a consensus among key decision makers, especially your own boss. If the heavyweights don't buy in to your plan, your going to find it difficult to change the status quo, especially if it means they will have to give up access rights, too. Depending on the size and complexity of your company and its IT environment, consider starting an IT Steering Committee or similar oversight group. This will give senior management shared responsibility for the success (and security) of IT operations. It will also insure that IT's actions are consistent with the goals of the business.
5) Set reasonable expectations and take a measured approach. Every organization of any size typically has a small percentage of users that are very tech-savvy. Unless you understand their applications and computing needs really well, and can guarantee continuity of service, don't mess with them. Chances are, these are likely your most vocal opponents of tightening security and they may have a strong case for retaining their admin privs (for now). So, start by focusing on the 95% of users that probably won't put up much of a fuss about losing their admin access. The message to everyone will be clear: network security is important and the old way of doing things is over.
2) Conduct a survey of users to determine why they believe they must have admin privileges. Too often, full admin rights are granted as a quick and dirty fix to a problem. For example, an application that didn't work correctly was "fixed" by granting full admin rights to a user instead of tweaking folder permissions. The important thing is you want to understand your users' perceived needs and come up with an acceptable solution that doesn't require the use of admin rights.
3) Begin documenting incidents involving inappropriate or careless use of admin rights by end-users. Each incident should include a description of how the business was exposed to actual or potential harm by the user's action. You can talk all you want about how unrestricted admin rights will cause problems, showing documented proof will make your case alot more compelling.
4) Begin to build a consensus among key decision makers, especially your own boss. If the heavyweights don't buy in to your plan, your going to find it difficult to change the status quo, especially if it means they will have to give up access rights, too. Depending on the size and complexity of your company and its IT environment, consider starting an IT Steering Committee or similar oversight group. This will give senior management shared responsibility for the success (and security) of IT operations. It will also insure that IT's actions are consistent with the goals of the business.
5) Set reasonable expectations and take a measured approach. Every organization of any size typically has a small percentage of users that are very tech-savvy. Unless you understand their applications and computing needs really well, and can guarantee continuity of service, don't mess with them. Chances are, these are likely your most vocal opponents of tightening security and they may have a strong case for retaining their admin privs (for now). So, start by focusing on the 95% of users that probably won't put up much of a fuss about losing their admin access. The message to everyone will be clear: network security is important and the old way of doing things is over.
I completely understand your problem. When I first became involved in IT, we had to bring a number of previously independent offices into one domain. Most were not a big problem, but one office insisted that they wanted absolute control of their own computers because, of course, they knew what they were doing. Never mind that they were microbiologists and chemists, not computer experts, they demanded that they be made admins of their computers, or else they could not do their jobs.
We then instituted a "3-strikes" policy. Users were allowed to be admins as long as they demonstrated competence with the privilege. The first time they reported a problem caused by something stupid they had done that had to be resolved by IT staff, they got one strike called against them (which was recorded in a master database so we could document every instance of their incompetence). The second time would result in a second strike. If they had a third strike, they would have their admin rights revoked.
Within nine months, all employees in this office had normal user accounts and none of them were admins any longer. The problems caused by admin rights ranged from users installing illegal/pirated software to a laptop user who removed his computer from our domain and joined it to a different domain at a university affiliate to a user who made everyone in a different office admins of all the computers in their laboratory. One user couldn't solve a driver problem, so rather than call us to help him, he simply re-installed Windows from scratch and wondered why he couldn't add his re-built computer to the domain. Another user created a new local user account that he added into the Admins group as a sneaky backdoor; after his C:\ drive ran out of free space, he thought he'd be clever and delete all of those old profiles under C:\Documents and Settings, and he ended up deleting his own domain user account profile. Since he rarely saved work to the server, he lost all of his most important files. And, of course, he blamed IT for not giving him a computer with a large enough hard drive to store all of his important files locally.
You can always cite "Best Practices" that have been used in the industry for decades that recommend all users log in with a standard user account and invoke admin/root access only when necessary. This is how our IT staff works. None of us log into our workstations with admin accounts, but simply use the Windows "Run As" option whenever we need to perform an action as an administrator. Having some Linux experience is definitely helpful, since this is the default behavior of just about every Linux distribution I've ever installed (with the exception of LinSpire).
We then instituted a "3-strikes" policy. Users were allowed to be admins as long as they demonstrated competence with the privilege. The first time they reported a problem caused by something stupid they had done that had to be resolved by IT staff, they got one strike called against them (which was recorded in a master database so we could document every instance of their incompetence). The second time would result in a second strike. If they had a third strike, they would have their admin rights revoked.
Within nine months, all employees in this office had normal user accounts and none of them were admins any longer. The problems caused by admin rights ranged from users installing illegal/pirated software to a laptop user who removed his computer from our domain and joined it to a different domain at a university affiliate to a user who made everyone in a different office admins of all the computers in their laboratory. One user couldn't solve a driver problem, so rather than call us to help him, he simply re-installed Windows from scratch and wondered why he couldn't add his re-built computer to the domain. Another user created a new local user account that he added into the Admins group as a sneaky backdoor; after his C:\ drive ran out of free space, he thought he'd be clever and delete all of those old profiles under C:\Documents and Settings, and he ended up deleting his own domain user account profile. Since he rarely saved work to the server, he lost all of his most important files. And, of course, he blamed IT for not giving him a computer with a large enough hard drive to store all of his important files locally.
You can always cite "Best Practices" that have been used in the industry for decades that recommend all users log in with a standard user account and invoke admin/root access only when necessary. This is how our IT staff works. None of us log into our workstations with admin accounts, but simply use the Windows "Run As" option whenever we need to perform an action as an administrator. Having some Linux experience is definitely helpful, since this is the default behavior of just about every Linux distribution I've ever installed (with the exception of LinSpire).
Hi, While there are several good answers here one of the challenges that I see is that most of them overlook the fact that there is only one login id and password for the entire system. How do you track who did what? This would seem to me to make it very difficult to determine who has caused what problem on the network except for those times where you get a call from someone who admits they did something and now their computer won't work.
Since tracking of problems would seem to be a major challenge perhaps a variation on another idea posted here would be an option. What comes to mind is to do a little research on the system and see what you can find buried around the network with particular attention to games (internet and local) and inappropriate pictures. Make yourself a limited number of notes to help you track back to those places and then arrange a conference with the highest manager with whom you can get an audience. Then simply show them what you have found on the system, tell them that you can't tell how it got there as there is only a common id, but that having this information on the system opens the door to legal issues (like sexual harrassment if you have found such pictures) and that as long as the companies computer usage policy remains wide open you can't control such usage from happening in the future. If you are not at the top of the ladder when making the initial presentation the manager you are talking to will hopefully help you take your concerns further up the chain to the point that a decision to modify policy can actually be made.
A presentation such as I am proposing while initially presentd by itself would work best as part of a larger presentation package as set forth in some of the other posts.
These days it does seem that one of the biggest drivers of change is the issue of legal liability and the top of that list is sexual harrassment.
Since tracking of problems would seem to be a major challenge perhaps a variation on another idea posted here would be an option. What comes to mind is to do a little research on the system and see what you can find buried around the network with particular attention to games (internet and local) and inappropriate pictures. Make yourself a limited number of notes to help you track back to those places and then arrange a conference with the highest manager with whom you can get an audience. Then simply show them what you have found on the system, tell them that you can't tell how it got there as there is only a common id, but that having this information on the system opens the door to legal issues (like sexual harrassment if you have found such pictures) and that as long as the companies computer usage policy remains wide open you can't control such usage from happening in the future. If you are not at the top of the ladder when making the initial presentation the manager you are talking to will hopefully help you take your concerns further up the chain to the point that a decision to modify policy can actually be made.
A presentation such as I am proposing while initially presentd by itself would work best as part of a larger presentation package as set forth in some of the other posts.
These days it does seem that one of the biggest drivers of change is the issue of legal liability and the top of that list is sexual harrassment.
I can't imagine where your people are finding the time to lounge around the 'net downloading and installing games, etc.. Apparently they have lots of spare time. At my most recent company, that was cured by downsizing on a regular basis until everyone was working at least 50 hours a week just to keep up much less find time to "play" with the computer. Perhaps your management team might find that solution palatable (unless they are the most notable offenders of course 
.
My 2 cents? Procure and install "virus/spyware software of choice" Enterprise Edition so at least most of the "bugs" can be held at bay. I assume you do have control of the Internet connection and it is through a single point.
Good luck.
.My 2 cents? Procure and install "virus/spyware software of choice" Enterprise Edition so at least most of the "bugs" can be held at bay. I assume you do have control of the Internet connection and it is through a single point.
Good luck.
Can you produce any logs from servers/applications and show the work you had to do as a result?
Show them they could potentially remove a server from the network.
Think about the apps you CEO's use and how users can effect them, e.g. accessing emails/deleting emails. Deleting documents. Thier access to sensitive information e.g. payroll, appraisals.
Show them they could potentially remove a server from the network.
Think about the apps you CEO's use and how users can effect them, e.g. accessing emails/deleting emails. Deleting documents. Thier access to sensitive information e.g. payroll, appraisals.
For me I find that approval is often tied to timing.
When I know that the suggestion that I am making is good, but that the decision-makers are not ready to make the "right" choice, I begin a journal to document time, problem, individuals involved, resolution.
The last time I presented my journal was at a budget meeting. A certain software was denied that was wanted by a department head. I was able to show them that if they had gone with the package I had originally presented, we could have easily added the software to the budget.
In my experiece the loss has to be personal if management is not totally intune with the principals of ROI.
When I know that the suggestion that I am making is good, but that the decision-makers are not ready to make the "right" choice, I begin a journal to document time, problem, individuals involved, resolution.
The last time I presented my journal was at a budget meeting. A certain software was denied that was wanted by a department head. I was able to show them that if they had gone with the package I had originally presented, we could have easily added the software to the budget.
In my experiece the loss has to be personal if management is not totally intune with the principals of ROI.
...DOCUMENTATION. We can speak geek to managers all day long and they won't understand. A well written journal with specifics and dollar amounts usually can't be denied.
I didn't catch what area of biz you are in, but many require... by law... certain restrictions to be considered 'compliant' or face some very serious consequences, including jail.
I'm cetain you can figure out the rest of the 'pro' arguement
I'm cetain you can figure out the rest of the 'pro' arguement
Straight up, there are plenty of good responses - and some that we don't talk about. I would maintain the professional integrity you have, choose your best options (Put on your "A" game) and proceed one last time down the path to a more secure environment. Then just sit back and do your best with the env. they insist you work in. That or bail and let them know why you're leaving. If that is not an option, then just be prepared for the worst. If the worst happens, make sure the decision makers on this one feel the pain, but fix it fast. And make sure they know it could happen again 5 minutes after it is fixed because the source fo the issue is still there - admin users with one login. Of the 4 or 5 major downs we have had here the last 10 years, 2 were caused by "important people" doing things they thought were fine. Ivy League smart does not mean they know IT. Good luck.
Dunno if you are in a public company or a company that is planning to go public, but I work in one and when we get audited for SOX they always want to a complete list of who has admin rights. I think they'd pass out if I handed them a list with all the employees on it...
Having gone through this though, I find the hardest people to convince they don't need admin rights are the management staff. Usually after they kill their computers a couple times or lose precious files they give in and leave the administration to the administrators. The "normal" employees are just handed a 10 page acceptable usage policy and then they almost beg to have their admin rights taken away...
I thought SOX was going to be a major pain for our company but it is actually working out awesome for my department. Gives you muscle to do things like block admin rights, all I have to say is "its a SOX requirement and the government says I have to, sorry"
Having gone through this though, I find the hardest people to convince they don't need admin rights are the management staff. Usually after they kill their computers a couple times or lose precious files they give in and leave the administration to the administrators. The "normal" employees are just handed a 10 page acceptable usage policy and then they almost beg to have their admin rights taken away...
I thought SOX was going to be a major pain for our company but it is actually working out awesome for my department. Gives you muscle to do things like block admin rights, all I have to say is "its a SOX requirement and the government says I have to, sorry"
Forgive me for saying so but your missing the point...sure what you propose would make YOUR JOB EASIER, it is certainly more 'secure' but what about the client? Having pointed out the pitfalls of the current set up and its cost implications to the client you may now have to accept that the way you think they should do things is not the way they WANT to do them....your thinking too much like a tech and not enough about the clients wishes...Even the most rational well presented arguements relating to IT including those relating to security often fall on deaf ears (even if they cost the client money) if its not what the client wants to do...and after all if they are prepared to pay, whats the problem? If you keep pushing you may find they take their business elsewhere....non techie's respect us but not if we are perceived as 'pushy'...I remember being in a similar situation myself some years ago now, I kept on trying to 'educate' the person concerned but in exasperation they said 'I hear what you say but this is how we want it if it f***s up we call you in and you fix it oK?!' So I suggest you drop it and if and when things do go wrong remind them again, tactfully, you pointed this out some time ago maybe then they will do what you suggest, after all from their point of view 'if it ain't broke don't fix it' they may feel that the CHANGE is something they are not happy having to deal with, this is quite normal, people don't embrace change willingly only when its forced on them by circumstance...it sometimes takes people several disasters to get into the habit of doing a regular backup for example.
For whatever purpose these users need to be administrators can usually be accomplished on an individual-by-individual basis by setting people up as power users and adding/deleting priveleges and permissions via security settings in the registry. Your manager sounds like Joe-I-Don't-Know-Crap-About-Your-Job-But-I-Can-Tell-You-how-To-Do-It-Manager,
in which case he/she could be taking your ideas the wrong way. He/she may be hearing, "Only I can have the Power", meaning you want to be in control. Most IT managers I have ever known were control freaks, and one way they feed this need is by taking away control of others. If you are doing that, it does nothing for him/her. Presentation is key to accomplishing what you want---make your boss look good to his/her boss---explain how this can be detrimental to this goal by giving users free reign. Hope this helps. I am somewhat of a control freak myself---takes one to know one.
Tim
in which case he/she could be taking your ideas the wrong way. He/she may be hearing, "Only I can have the Power", meaning you want to be in control. Most IT managers I have ever known were control freaks, and one way they feed this need is by taking away control of others. If you are doing that, it does nothing for him/her. Presentation is key to accomplishing what you want---make your boss look good to his/her boss---explain how this can be detrimental to this goal by giving users free reign. Hope this helps. I am somewhat of a control freak myself---takes one to know one.
Tim
For most companies IT is a cost. You will have to estimate to the satisfaction of the business line people the cost of them waiting to be able to work because they do not have the correct permissions, vs the amount of time they will be down because they knocked themselves off the network.(Both of these situation are your fault) Unfortunately, I think that if you do this honestly you will find that it will be years before you hit break even on this one and have nearly the right permissions for everybody. Nobody cares how much money the project will save next year. They only care how much it will cost this year. I think you will find that the business line managers have already weighed these costs in thier head. Often you find that you are wrong when you put it on paper, and I could be wrong right now. Neither of us will know until there is a spreadsheet involved. On the other hand your reward for creating an ultimately flawless IT department will be losing your job, because technology is getting so easy now. LOL
Try using a product called Deep Freeze sold by a Faronics. You can let them do whatever they want to the PCs just reboot and all the changes are gone. You can specify thaw space for them store data on the hard drive.
Well, I agree with your company executives in the fact that the problem is not that the users must be limited their rights, they should be educated in the proper use of the computers. Nevertheless you should restrict some access to certain internet ports like the ones used for Peer to Peer networks, basically because those do slow down internet and could have some legal issues.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
