RE: Impact of removing administrative rights in an enterprise running XP

For anybody wanting to address applications and their need/lack thereof for
admin rights on machines, I highly recommend taking a look at the
Application Compatibility Toolkit. 

http://www.microsoft.com/technet/desktopdeployment/appcompat/toolkit.mspx

You can save yourself a lot of work and time with it. 

Laura 

> -----Original Message-----
> From: Jon R. Kibler [mailto:Jon.Kibler@aset.com] 
> Sent: Thursday, July 27, 2006 11:09 AM
> To: focus-ms@securityfocus.com
> Cc: Drew Simonis
> Subject: Re: Impact of removing administrative rights in an 
> enterprise running XP
>
> Drew Simonis wrote:
> > Hello all,
> > I wonder if anyone on the list who might work for a good 
> sized enterprise (10,000+ seats) has gone through the 
> excercise of removing administrative rights from the user community?
> > Aside from the effort to inventory all applications and 
> ensure that they work with restricted permissions, I forsee 
> that such an effort would likely require changes to the 
> entire support model.  Instead of relying on users to install 
> their own software, it would need to be done for them.  New 
> hardware would require intevention, etc.
> > If someone has completed this, was support a major new 
> burden, or was it not as difficult as it might be?  If it 
> was, how much of a burden was it (+ desktop support 
> headcount? +helpdesk calls?)?
> > -Ds
>
> Drew,
>
> Have not done it in as large of an organization as you 
> indicate, but have TRIED to do it in smaller organizations -- 
> and ran into MANY brick walls. It is still a 
> work-in-progress! Things are better, but we're not there yet 
> by any stretch at any organization that I am working with.
>
> The primary issue is that A LOT of applications 
> assume/require administrative privilege to work. In reality, 
> you can probably get many/most to run with less than admin 
> priv, but figuring out what is the minimum required is not an 
> easy task. And don't expect the application vendor to be any 
> help either!
>
> Trying to remove local admin priv is a trial-and-error 
> process. A lot of apps will work most of the time, then one 
> seldom-used feature breaks it.
>
> You would be surprised the apps that require privilege to 
> run... many big name ones, such as the Intuit product line. 
> There was a discussion on DShield a few months back on this 
> topic, and several people named names of applications with 
> privilege problems (but nothing close to scratching the surface!).
>
> Good luck.
>
> Oh, BTW, as you try this task, publishing a list of the 
> required minimum privilege for each application would be a 
> great help to everyone. I wanted to do that, but my clients 
> all objected.
>
> Jon
> --
> Jon R. Kibler
> Chief Technical Officer
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC  USA
> (843) 849-8214
>
>
>
>
>
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.


---------------------------------------------------------------------------
---------------------------------------------------------------------------