General discussion

Locked

Local Admin Right ! Yes or No & Why

By FaisalMasood ·
Im working for a software development company. My users are computer graduates (BCS/ MCS).

Well.. I don't support the idea of giving local admin rights.

Disadvantages of local Admin Rights:
1) User can install / uninstall any thing on their system
2) User can change system settings & can lower the security level
3) Malicious packages / applications are executed more easily. & that virus/malicious code can propagate to others on the network .
4) You get a large number of support calls from those desks.
5) The time spent in rebuilding the system is a waste. With proper control that time could be utilized for some constructive work.
6) You wouldn't have full control on your network.

Advantages:
1) User can install applications if they require any.
2) Some applications which don't run with normal user cab run easily with local admin rights. (Although some suggests that you can set registry & file permission to run that application with normal user. But finding those settings is a **** of work.)
3) Adminstrator can free himself from installation work & can do some thing constructive for the company.

Suggestion:
1) Make sure to have your corporate policies straight. Have a meeting with your boss (or big boss) include development manager as well. The lay out what you company wants. then act accordingly.
2) With admin rights any application can run. It is the duty of software developing companies that they make sure that their applciation run with normal users as well. Or at least they should document the procedure where network administrators can run the application with normal user if they want.

This conversation is currently closed to new comments.

10 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by FaisalMasood In reply to Local Admin Right ! Yes o ...

Example of my Environment:
Here in my company, we don't give local admin rights except to few. But my experience is that user always do mess-ups. As most of them are well educated with BCS /MCS, they try to exploit loop holes in the design. Since securing network is not my primary task here. Thats why I can't spend much time in finding the registry / file settings to run softwares with normal user. In the end what happens, a call & system rebuild. Well ghost works well if you have similar hardware. But here we have different hardware after every 2-3 PCs.

Major hurdle for me is the DLL registration. Developers here need to reregister DLLs (of our web application) on their local system off & on. Some times every 10 minutes during testing / debugging of COM+ components. Normal user can't run regsvr32.exe to register DLLs. Thats why I've to give few of those developers local admin rights.

Well if any one have a solution to my problem, then let me know. :)

Our perimeter is prettty secure, but interior is too soft due to those admin privillaged users. I face the consequences of this some times.

Collapse -

by SAMsonite In reply to Local Admin Right ! Yes o ...

I promote giving them the benefit of the doubt and going for lighter admin security. With all my research into NT (assuming your company uses NT computers) security, I beleive that your users being graduate students would be either A just your average (fairly-harmless) user or B a serious hacker. I don't include those "script kiddies" or guys who just mess around on a system because they're easy to log and punish

OK on to "Why"
|I'm going to have to split this up into two messages due to the length needed for your explanation |

Collapse -

by SAMsonite In reply to

"Why Pro Lite"

Ok, now if the students were your average user, then I beleive you are right in how much nicer it would be to lighten security and release instalation to the users.

However, if you did have say, a serious hacker, amongst your students. From experience you will find that there is really no way to keep him from whatever he's intending (that doesn't mean you can't restrict or monitor him). I have seen many hackers who have the ability to bypass any password setup or security implaced on systems merely because of how much time and determination they put into it.

Now you must be asking "Should I just give up on those 'serious hackers' since there's not much I can do?" The answer to that: No, by all means do not. I recommend the light admin rights so as to give ease of use and lighten the Andministrator's load. Then place restricted access to folders and files you absolutely want protected, encrypting them is a suggestion also. Finally install a few invisible monitoring devices. These programs might include tripwire, keyloggers and remote surveillance.

Overview: How does this effect the security of the computers on the students' network?

1. Your average user will have a much easier time with his/her projects without the need of constant support-help; while serious problems will be instantly noted to the support desk by the above monitoring software.
2. Hackers of any kind, whether intentionally attempting harm to the system or just by stupid pranks will be monitored and the front desk immediately alerted if any unusual activity was to occour.

I hope that helped, it sure helped me! :-)

Collapse -

by SAMsonite In reply to

Sorry, I read your message wrong on the above graduates. However still consider the option above as it shouldn't change all to much by them being grad's vs students. They would just have more experience.

Collapse -

by SAMsonite In reply to

lol, sorry that was a pretty bad mistake. I was just thinking about it and your users being grads would be a good thing I would take it.

Because with all their experience (2-3 yrs is good enough) they should be really adept with computers and so be able to safely work by themselves, if they were to have more lenient admin priviledges. Naturally they'd also be able to make those minor changes that you were talking about above with ease and not have to call support all the time if they did have the freedom to do so.

It'd no doubt lighten the load for everybody and they would appreciate and respect what you're allowing them to do, having had the experience with working computers so long.

SAM

Collapse -

by FaisalMasood In reply to

Was waiting for more feed back. But it seems no one is facing such a situiation. :)

SAMsonite thanks to for your input.

Collapse -

by FaisalMasood In reply to Local Admin Right ! Yes o ...

SAMsonite,

My users are not students. They are graduates with 2-3 years experience.

Collapse -

by cw In reply to Local Admin Right ! Yes o ...

Depending on your OS, I would probably meet the users halfway. Using the System Policy Editor you could allow your users to access settings on their systems, but you can also restrict access to files you don't want accessed. Basically you want to make your users "power users", not admins.

Hope this helps

Chris Weber CCDP

Collapse -

by FaisalMasood In reply to

Poster rated this answer.

Collapse -

by FaisalMasood In reply to Local Admin Right ! Yes o ...

This question was closed by the author

Back to Security Forum
10 total posts (Page 1 of 1)  

Related Discussions

Related Forums