[EMAIL PROTECTED] writes: >Also it is not a good >practice to log on to your box all of the time as admin. >It's just a lazy habit. And a risky one. Just remove all >access to potentially dangerous files, with the >exception of an local admin account. And only log on >when you are performing system maintenance. >Maybe a little over the top, but it works.. > Chad, In theory, I agree with your sentiment 100%, however, I have a question. This is one of those "should we stand for this" questions and mainly philosophical, however... What do you do about applications that will only work properly when running as local admin? We are in the process of migrating all desktop machines to Windows 2K and have encountered several mission critical applications that just will not work without admin access. Two examples are digital camera software (mounting the camera's storage is viewed as mounting a drive and must be executed as admin) and a commercially available application that has a feature that won't work without local admin priveleges. Now, I'm all for, in theory, saying that one just shouldn't use these apps, but that is not practical. Both applications are required for us to function. In both cases, I've tried giving permission to files, directories, and registry keys that SHOULD let an average user access them, but with no luck. I've complained to both vendors and presented the argument that this was poor implementation on their part and basically gotten the equivalent of the "help desk shoulder shrug". Again, this message is largely a rant and I suspect that I'm preaching to the choir, but just thought I'd provide examples of the fact that despite our best intentions, some vendors just never seem to learn. Normally, I'd say that we should all just stop using their software until they fix it, but that won't happen, they know it won't happen, and its all just a pain in the a$$ :)
Anyway, in this particular case, I agree that local admin should be the only user to have access to these .exe's and that will stop this 'vulnerability' at a system level. Without having to inconvenience yourself with turning off scripting. Thanks Phil --------------------------------- Philip Frigm, Jr. Systems Administrator WXXI Public Broadcasting 280 State Street, Rochester, NY 14614 wxxi.org 585.258.0308 ---------------------------------