Re: Does anyone truly use Restricted User Accounts?
- From: "Andrew M. Saucci, Jr." <spam-only@xxxxxxxxxxxxxxxx>
- Date: Mon, 26 Dec 2005 14:35:52 -0500
One of my new year's resolutions for last year was to get rid of
local administrator privileges, after Jeff Middleton announced that it was
one of his goals. I've been somewhat successful-- enough to plow forward,
but still a long way to go. This year I deployed three networks without any
local administrators. I also had one from last year that is still running
fine. Three of those four networks have users running QuickBooks, one of the
worst offenders. I know it can be done and I intend to do more of it. The
biggest challenge is not really a technical challenge; with RegMon and
FileMon I can crack any two-bit application that claims to need
administrator privileges. The challenge is to convince users that they
should let me lock down the workstations and install all software instead of
letting the users do it themselves. That is especially difficult as a
"retrofit" policy on networks that were originally deployed wide-open-- it
can come across as a power grab or a way to make the user dependent upon me
so that my boss' wallet gets fat. I hope to convince people that I'm just
looking out for their best interests and not looking to increase revenue or
power for my company. That's where maintaining good relationships with
clients is important. Once I have a good track record with a client, I'm
more likely to be seen as a benevolent healer instead of a meglomaniac.
Finally, I now insist that my colleagues use the term,
"administrator privileges." No one is born with "administrator rights." That
sounds too much like "human rights." Privileges are granted to those who
demonstrate a need for them. With clients, I try not to talk about
administrator anything. I just say, "I'm going to lock the machine so that
it can't get messed up." Explained like that, people are more willing to
give it a try. Any time a workstation gets trashed with adware and spyware--
I move in with my pitch. It also helps when I can promise to fix any
problems that may arise, since I now have the tools to do it. Also important
is to make the distinction between user accounts and users. I tell people,
"I trust you but I don't trust anything that may happen to be running under
your user account." Telling Linda that I don't trust her is a sure way to
start a fistfight.
Another alternative is to restrict Internet access. If someone has
no Internet, I don't feel quite as bad about letting that person be an
administrator, although it still bothers me. If I have an image of the
workstation, that helps as well, since at least I'll have the tools to fix
the workstation fast when it does get trashed.
"Brian Williams" <BrianWilliams@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:391FECF1-6E58-4719-B3E5-399B60B6B111@xxxxxxxxxxxxxxxx
> Hello, I've tried to implement Restricted User Accounts to protect our
> workstations and network. Everytime I try to implement this something like
> QuickBooks or the printer drivers, or some third party software require
the
> user to have local Admin rights.
>
> We also have a 30+ real estate agents in our office who use a local MLS
> application to access and input their listings, this site requires ActiveX
> and local admin rights.
>
> Has anyone truly and successfully implelmented Restricted User Accounts on
> their workstations? If so, where am I going wrong here?
.
- Follow-Ups:
- Re: Does anyone truly use Restricted User Accounts?
- From: M. Hayes
- Re: Does anyone truly use Restricted User Accounts?
- Prev by Date: Re: after sharepoint 2.0 update
- Next by Date: Re: Best way to deploy GPO to users
- Previous by thread: Re: Does anyone truly use Restricted User Accounts?
- Next by thread: Re: Does anyone truly use Restricted User Accounts?
- Index(es):
Relevant Pages
|
