[EMAIL PROTECTED] writes:
>Also it is not a good
>practice to log on to your box all of the time as admin.
>It's just a lazy habit. And a risky one. Just remove all
>access to potentially dangerous files, with the
>exception of an local admin account. And only log on
>when you are performing system maintenance.
>Maybe a little over the top, but it works..
>
Chad,
In theory, I agree with your sentiment 100%, however, I have a
question. This is one of those "should we stand for this" questions
and mainly philosophical, however...
What do you do about applications that will only work properly when
running as local admin? We are in the process of migrating all
desktop machines to Windows 2K and have encountered several mission
critical applications that just will not work without admin access.
Two examples are digital camera software (mounting the camera's
storage is viewed as mounting a drive and must be executed as admin)
and a commercially available application that has a feature that
won't work without local admin priveleges. Now, I'm all for, in
theory, saying that one just shouldn't use these apps, but that is
not practical. Both applications are required for us to function.
In both cases, I've tried giving permission to files, directories,
and registry keys that SHOULD let an average user access them, but
with no luck. I've complained to both vendors and presented the
argument that this was poor implementation on their part and
basically gotten the equivalent of the "help desk shoulder shrug".
Again, this message is largely a rant and I suspect that I'm
preaching to the choir, but just thought I'd provide examples of the
fact that despite our best intentions, some vendors just never seem
to learn. Normally, I'd say that we should all just stop using their
software until they fix it, but that won't happen, they know it won't
happen, and its all just a pain in the a$$ :)
Anyway, in this particular case, I agree that local admin should be
the only user to have access to these .exe's and that will stop this
'vulnerability' at a system level. Without having to inconvenience
yourself with turning off scripting.
Thanks
Phil
---------------------------------
Philip Frigm, Jr.
Systems Administrator
WXXI Public Broadcasting
280 State Street,
Rochester, NY 14614
wxxi.org
585.258.0308
---------------------------------
