Re: Impact of removing administrative rights in an enterprise running XP

You can easily install patches without admin rights... the key here is 
'management' of a network.

WSUS can push out patches and the workstations do not need admin rights.

Installing of software needs rights.. but there are ways to group policy 
deploy software and do this.

The reality is that line of business apps blew off Microsoft on non 
admin.. they didn't need to follow the XP logo (that requires the 
supportability of non admin) because WE the marketplace didn't care.  
The code design for many of these applications have not changed since Win9x.

Yes, there are success stories, but it's totally dependent on a managed 
network.

IT admins have to relearn how to do tasks... learn group policy...learn 
scripting... learn how deploy software across a network.... That's the 
key... we have to learn how to do our jobs in a managed network.

Dick Venema wrote:

> Is it not supposed to be an protection measure against any virus and spyware.
>
> We are supporting networks with around 10 users.
> If I understand it well enough, it is impossible to manage pc's without direct 
> admin rights.
>
> The most isseus are with installing applications. 
> I tought that Microsoft and with them many other people almost ordered everybody to get rid of those admin rights.
>
> But from the reactions I hear, everybody complains. Are there success stories?
>
> Dick Venema
> Venema Advies
>
>
>
> -----Oorspronkelijk bericht -----
> Van: "Robert D. Holtz" <robert.d.holtz@gmail.com>
> Aan: "'McLaurin, Timothy'" <tMcLaurin@citi-us.com>; "'Jon R. Kibler'" <Jon.Kibler@aset.com>; 
> "focus-ms@securityfocus.com" <focus-ms@securityfocus.com>
> CC: "'Drew Simonis'" <simonis@myself.com>
> Verzonden: 28-7-06 15:37
> Onderwerp: RE: Impact of removing administrative rights in an enterprise 
> running XP
>
> I was involved in ~1,500 users and it also was an amazing exercise in
> futility.  The previous paragraph was on the money.
>
> It really bit us hard when we had a virus infestation and the patch from
> Microsoft needed the user to have admin rights in order to fix the problem.
>
>
> -----Original Message-----
> From: McLaurin, Timothy [mailto:tMcLaurin@citi-us.com] 
> Sent: Thursday, July 27, 2006 3:50 PM
> To: Jon R. Kibler; focus-ms@securityfocus.com
> Cc: Drew Simonis
> Subject: RE: Impact of removing administrative rights in an enterprise
> running XP
>
> I've done it for about 2,000 users and it was brutal.  The technical
> aspects of it was bad but even worse were the political.  People can't
> get used to the idea of not being able to do what they want when they
> want.  Especially the executive types.  And we still gave them admin
> accounts, they just had to use Run As...  Support isn't all that easy
> too because we had no idea who had what, and what was essential for
> their job function.  There are all kinds of stupid applications that
> call for admin rights and once they are taken away it doesn't work
> anymore.  Filemon, Regmon, and SetACL were a staple during that time
> period.  
>
>
>
> -----Original Message-----
> From: Jon R. Kibler [mailto:Jon.Kibler@aset.com] 
> Sent: Thursday, July 27, 2006 11:09 AM
> To: focus-ms@securityfocus.com
> Cc: Drew Simonis
> Subject: Re: Impact of removing administrative rights in an enterprise
> running XP
>
> Drew Simonis wrote:
>  
>
> > Hello all,
> > I wonder if anyone on the list who might work for a good sized
> >    
> enterprise (10,000+ seats) has gone through the excercise of removing
> administrative rights from the user community?
>  
>
> > Aside from the effort to inventory all applications and ensure that
> >    
> they work with restricted permissions, I forsee that such an effort
> would likely require changes to the entire support model.  Instead of
> relying on users to install their own software, it would need to be done
> for them.  New hardware would require intevention, etc.
>  
>
> > If someone has completed this, was support a major new burden, or was
> >    
> it not as difficult as it might be?  If it was, how much of a burden was
> it (+ desktop support headcount? +helpdesk calls?)?
>  
>
> > -Ds
> >    
>
> Drew,
>
> Have not done it in as large of an organization as you indicate, but
> have TRIED to do it in smaller organizations -- and ran into MANY brick
> walls. It is still a work-in-progress! Things are better, but we're not
> there yet by any stretch at any organization that I am working with.
>
> The primary issue is that A LOT of applications assume/require
> administrative privilege to work. In reality, you can probably get
> many/most to run with less than admin priv, but figuring out what is the
> minimum required is not an easy task. And don't expect the application
> vendor to be any help either!
>
> Trying to remove local admin priv is a trial-and-error process. A lot of
> apps will work most of the time, then one seldom-used feature breaks it.
>
> You would be surprised the apps that require privilege to run... many
> big name ones, such as the Intuit product line. There was a discussion
> on DShield a few months back on this topic, and several people named
> names of applications with privilege problems (but nothing close to
> scratching the surface!).
>
> Good luck.
>
> Oh, BTW, as you try this task, publishing a list of the required minimum
> privilege for each application would be a great help to everyone. I
> wanted to do that, but my clients all objected.
>
> Jon
>  

--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs


---------------------------------------------------------------------------
---------------------------------------------------------------------------