Installation-wise, there's a few bits of software you can utilize that won't actually necessitate local admin privs - personal vDisks, AppSense StrataApps, etc.
---Blackberried -----Original Message----- From: "Heaton, Joseph@DFG" <jhea...@dfg.ca.gov> Date: Tue, 18 Sep 2012 15:32:52 To: NT System Admin Issues<ntsysadmin@lyris.sunbelt-software.com> Reply-To: "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com>Subject: RE: This is what I get.... We're going through the same issue here. For years, while on Novell and XP, all of our users have been local admins. When we roll over to Active Directory, and Win 7, no one will be local admins. We purchased Viewfinity for our privilege elevation issues. Pretty slick software, doesn't need to wait for GPO refresh times like some of the other solutions, just need someone being responsive to the automated e-mails that come in with elevation requests. We have our first line person responding by creating a ticket in our BMC system, then contacting the user and their supervisor to make sure there is licensing, the supervisor knows what the user wants to install and actually needs it, etc. When all that checks out, the ticket gets forwarded to me, and I go in and either create a new policy for this, or add the user to an existing group if the policy for that software already exists. The user gets an automated e-mail when the policy is created, and they are able to install the software. Joe Heaton ITB - Enterprise Server Support From: David Lum [mailto:david....@nwea.org] Sent: Tuesday, September 18, 2012 7:47 AM To: Heaton, Joseph@DFG; NT System Admin Issues Subject: RE: This is what I get.... After I cooled off, I gave him this reply: Clearly you've never tried to not make them local admins. Give me two of where a typical employee (this mean not developers) , and I'll give you two examples of how it can be accomplished WITHOUT them being local admin... From: Jonathan Link [mailto:jonathan.l...@gmail.com]<mailto:[mailto:jonathan.l...@gmail.com]> Sent: Tuesday, September 18, 2012 7:30 AM To: NT System Admin Issues Subject: Re: This is what I get.... Are those calls documented? And what was the nature of the call? After the initial transition, this will actually make admin's lives easier, since they have a more controlled environment to work in. Yeah, some things are easier when they have admin rights, but that doesn't mean that users should be doing those things, either. On Tue, Sep 18, 2012 at 10:22 AM, David Lum <david....@nwea.org<mailto:david....@nwea.org>> wrote: Here's how much fight I get when I even SUGGEST we should be removing admin right from our users. Worthy to note I am not a local admin on my own NWEA machine, and none of my %sidejob% clients are local admins on theirs. This guy knows this, but still fights me every time. This reply incensed me enough to start again working on the management buy-in, as it's a lot harder to stop a top down order. Sent: Tuesday, September 18, 2012 6:35 AM To: David Lum Subject: RE: IE 0-day, MS releases bulletin We have this very rare instance of a Zero Day attack in IE for a few sites and you think that is a reason to create the complete nightmare of taking away Admin rights to a local machine. Clearly you don't know how often our users are using their admin rights on their machines. The SD got a call once a week from the ONE person who had that setup when she was moved to Windows 7. If we spent some time building the infrastructure that makes such a situation workable (like I did at the school district I worked at), then we could live with our 500 users not being admins. David Grand From: David Lum Sent: Tuesday, September 18, 2012 6:24 AM Subject: IE 0-day, MS releases bulletin Please read this article and weigh in on the suggested workarounds. Microsoft has released a bulletin on this, and has suggested workarounds. Most can be achieved via GPO: http://technet.microsoft.com/en-us/security/advisory/2757760 Note 1: "An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights." SD - this exact scenario is the benefit of users not being local administrators. Note 2: Some of this is already done via the Trusted Site GPO. Their additional recommendations recommend disabling ActiveX for Internet and Local Intranet. The latter would disable some Commons functionality, but we can disable it on the Internet site zone temporarily. Even this will generate Service Desk calls but I feel this is worth mitigating the risk. Dave From: David Lum Sent: Monday, September 17, 2012 12:39 PM Subject: Just so you know that I know.. 0-day of the week: http://www.computerworld.com/s/article/9231367/Hackers_exploit_new_IE_zero_day_vulnerability?source=rss_latest_content&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+computerworld%2Fnews%2Ffeed+%28Latest+from+Computerworld%29 Dave ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
