"What?" "I'm not an admin?"
www.threatcode.com
For those programs that must run as admin, can you please post to the
nomination list? All nominations are confidential and I don't need a
name or a firm, but I would like to point out these applications that
demand administrator rights. Too many of financial programs need admin
rights.
Intuit's upcoming Quickbooks 2007 is supposed to not need admin rights.
It will be the first one to do so. All prior versions need reg
hacking... however they now have come out on record with the necessarily
reg hacks to support non admin.
The definitive resource/blog to watch for Non admin is Aaron's blog:
http://blogs.msdn.com/aaron_margosis/
Laptops are the hardest to make nonadmin... make sure you make them at
least members of the network operators group so they can adjust nic stuff.
(and wondering? Why did your clients object? Because I'd love to host a
project like that .. I'll make a new section on how to non-admin apps
just for that!)
Now keep in mind that as MS just bought Sysinternals.. the two tools for
non-admin-ing, filemon and regmon have a new eula that states we can
only use them for testing and evaluation.
Jon R. Kibler wrote:
Drew Simonis wrote:
Hello all,
I wonder if anyone on the list who might work for a good sized
enterprise (10,000+ seats) has gone through the excercise of removing
administrative rights from the user community?
Aside from the effort to inventory all applications and ensure that
they work with restricted permissions, I forsee that such an effort
would likely require changes to the entire support model. Instead of
relying on users to install their own software, it would need to be
done for them. New hardware would require intevention, etc.
If someone has completed this, was support a major new burden, or was
it not as difficult as it might be? If it was, how much of a burden
was it (+ desktop support headcount? +helpdesk calls?)?
-Ds
Drew,
Have not done it in as large of an organization as you indicate, but
have TRIED to do it in smaller organizations -- and ran into MANY
brick walls. It is still a work-in-progress! Things are better, but
we're not there yet by any stretch at any organization that I am
working with.
The primary issue is that A LOT of applications assume/require
administrative privilege to work. In reality, you can probably get
many/most to run with less than admin priv, but figuring out what is
the minimum required is not an easy task. And don't expect the
application vendor to be any help either!
Trying to remove local admin priv is a trial-and-error process. A lot
of apps will work most of the time, then one seldom-used feature
breaks it.
You would be surprised the apps that require privilege to run... many
big name ones, such as the Intuit product line. There was a discussion
on DShield a few months back on this topic, and several people named
names of applications with privilege problems (but nothing close to
scratching the surface!).
Good luck.
Oh, BTW, as you try this task, publishing a list of the required
minimum privilege for each application would be a great help to
everyone. I wanted to do that, but my clients all objected.
Jon
------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will
hunt you down...
http://blogs.technet.com/sbs
---------------------------------------------------------------------------
---------------------------------------------------------------------------
