Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Impact of removing administrative rights in an enterprise running XP

from [Fabian Wenk] Network Security [Permanent Link]
Subject: Re: Impact of removing administrative rights in an enterprise running XP
Date: Sun, 30 Jul 2006 17:17:46 +0200 
Hello

Dick Venema wrote:
But from the reactions I hear, everybody complains. Are there success stories?

Yes, there are. My team members and I have created a setup in an educational environment (Department of Physics [1] at ETH Zurich [2]) with currently around 60 WinXP workstations (still growing) with around 50 applications, where the users only have users rights. We already have around 150 Linux workstations which are managed in a similar way.

  [1] http://www.phys.ethz.ch/
  [2] http://www.ethz.ch/

We have everthing automated, starting form the installation of Windows over netboot (PXE), installing applications according to the needs of the workstation and joining it to our Samba-Domain. The installation takes around 1 - 2 hours (depending on the power of the workstation and numbers of applications) without any intervention until the user can log in.

For the netboot we use PXELINUX [3]. The base Windows install is done with Unattended [4] and the applications install is done with wpkg [5]. For inventory we use OCS Inventory [6], which also runs on our Linux workstations. We need the inventory to count the installed applications which need a license, so we can order them in the central software system from our University. Monitoring of all workstations and servers is done with Big Brother [7].

  [3] http://syslinux.zytor.com/pxe.php
  [4] http://unattended.sourceforge.net/
  [5] http://wpkg.org/
  [6] http://ocsinventory.sourceforge.net/
  [7] http://www.bb4.org/

Sure we had to do some glue scripting (mostly .cmd) too motivate all this tools to work together for our needs. wpkg runs (in the background as system task) at startup or once in the early morning (if the workstation is running) to upgrade applications. Windows and MS Office updates are done through a local WSUS server.

So far the users do not complain about the missing administrative rights, but are happy that we keep their workstations up-to-date. In some groups the local IT person has an additional account with administrator right, mainly to install special software (eg. CAM) which we could not motivate for silent install. If a workstation gets "killed", we simply do a fresh install.


bye
Fabian

---------------------------------------------------------------------------
---------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: .Net Satisfies Security Compliance Satistactions or Not ???, Laura A. Robinson
Next by Date:  RE: MS Exchange, Miha Pihler
Previous by Thread:  RE: Impact of removing administrative rights in an enterprise running XP, Stephen Hefner
Next by Thread:  RE: Impact of removing administrative rights in an enterprise running XP, Beauford, Jason
Indexes:  [Date] [Thread] [Top] [All Lists]