On that note, check out Application Security from DesktopStandard. I've managed through my own work and using application security to create a 100% least privilege environment in one of our branch offices (call center), 300+ users.
- Nick ________________________________ From: Jackson, Mark [mailto:[EMAIL PROTECTED] Sent: Thu 7/27/2006 2:20 PM To: Joshua Morehouse; Drew Simonis; Focus-MS Subject: RE: Impact of removing administrative rights in an enterpriserunning XP Another great product which I have personally tested is Desktop Authority by Scriptlogic. This product will give you granular level control over your environment as well as provide useful tools to achieve even greater control. Mark Jackson - Infrastructure Architecture Lead Desktop Architectural and Security Engineer -----Original Message----- From: Joshua Morehouse [mailto:[EMAIL PROTECTED] Sent: Thursday, July 27, 2006 8:10 AM To: Drew Simonis; Focus-MS Subject: RE: Impact of removing administrative rights in an enterprise running XP Morning, We are also investigating the process of removing users from the local administrative group. In our research we've found and purchased a product that will allow us to do so via AD GPO. The product in question is Desktop Standard and will allow us to do the following. * Remove all domain users from the local admin group by OU and other filters. * Set programs that need to run with administrative privileges to do so. * For systems where users must have local admin privileges we can set programs such as IE to run with lower rights while the user still has local privileges. More information on the product set can be found @ http://www.desktopstandard.com <http://www.desktopstandard.com/> . While this product will help us from a technical side, the harder thing for us to overcome will be corporate culture. Josh -----Original Message----- From: Drew Simonis [mailto:[EMAIL PROTECTED] Sent: Thursday, July 27, 2006 9:54 AM To: Focus-MS Subject: Impact of removing administrative rights in an enterprise running XP Hello all, I wonder if anyone on the list who might work for a good sized enterprise (10,000+ seats) has gone through the excercise of removing administrative rights from the user community? Aside from the effort to inventory all applications and ensure that they work with restricted permissions, I forsee that such an effort would likely require changes to the entire support model. Instead of relying on users to install their own software, it would need to be done for them. New hardware would require intevention, etc. If someone has completed this, was support a major new burden, or was it not as difficult as it might be? If it was, how much of a burden was it (+ desktop support headcount? +helpdesk calls?)? -Ds ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- This electronic message and all attachments transmitted with it may contain confidential and legally privileged information belonging to the sender. Please visit http://www.fbr.com/ecdisclosures.asp for important related disclosures, by either following the attached hyperlink or copying and pasting the URL into your internet browser. ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------- Confidentiality note The information in this email and any attachment may contain confidential and proprietary information of VistaPrint and/or its affiliates and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, you are hereby notified that any review, reliance or distribution by others or forwarding without express permission is strictly prohibited and may cause liability. In case you have received this message due to an error in transmission, please notify the sender immediately and to delete this email and any attachment from your system. --------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
