We have to balance the needs of our users and the need to provide a secure network. The major applications (300+) we package and distribute on a as needed basis to our users. The problem is the applications that < 10 users want to install. We do not want to deploy very minor software applications through our application deployment framework (Radia) that only a few users require because the engineering time required to make sure that this minor app is compatible with the 300 other apps is considerable. If the user installs the software and breaks the machine we will reimage it back and redeploy the managed apps to it.
It is all we can do right now to maintain our managed application pool as it is now. The thought of having to manage every single app gives me the shivers. It is not a perfect solution for a secure network but unfortunately is one we are being forced to work/live in. Greg Felzer -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andries Thijssen Sent: Friday, March 07, 2003 7:14 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] User rights on Domain computers and security issu es Users must be able to install whatever nefarious software they want, but you still want a secure network? I think those goals are mutually exclusive, especially if you factor in a reasonable amount of social engineering. For software installations requiring admin access, you could try to install it through the group policies. Andries -----Original Message----- From: Greg Felzer [mailto:[EMAIL PROTECTED] Sent: Thursday, March 06, 2003 8:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] User rights on Domain computers and security issues Sorry for the repost but I submitted this to 2 lists and did not get any responses. If you have any suggestions please throw them out. Thanks in advance Greg Felzer -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Felzer Sent: Tuesday, March 04, 2003 11:11 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] User rights on Domain computers and security issues We are in the process of rolling out an new desktop at MUSC using a W2K AD infrastructure and an XP SP1 managed desktop. We piloted out new desktop for about a month to gauge the user's requirements for the new system. We had made the users domain account a member of the local power users group and enable roaming profiles. During out pilot testing the user base requested the ability to install hardware devices (zip drives, biometric mouse ect) and be able to install any software they want to locally. The power user's right gave them the ability to install most hardware devices EXCEPT devices that required a service to be installed or needed to modify certain hives under HKLM. The power user's right also gave them the ability to install most software EXCEPT if installation required local administrator privileges (like MS Project 2000). Giving the user account local administrator privileges is not an option for the security concerns that are enumerated here: http://www.sans.org/rr/win/commonality.php Also giving the users local administrator access would allow them to browse other users local profile directories that had been cached. Although we could delete all profiles upon log off this would prevent the user from logging onto the computer in the event of a network failure (there are no local user accounts). We tried to give the local power user's group full control to HKLM. The trouble with this is that in essence it makes them local administrators on the machine which bring us back to our security concerns. Any ideas....all suggestion are welcome. Greg Felzer MCSE NT4, MCSE 2000, CCA, CCNA, CNA Senior Systems Engineer Center for Computing and Information Technology Medical University of South Carolina List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ----------------------------------------------------------------- ATTENTION: No legal consequences can be derived from the content of this e-mail and/or its attachments. Neither is sender committed to these. The content of this e-mail is exclusively intended for addressee(s) and information purposes. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Sender accepts no liability for any damage resulting from the use and/or acceptation of the content of this e-mail. Always scan attachments for viruses before opening them. ----------------------------------------------------------------- List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
