1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Work Issue...... Am I going mad???

Discussion in 'The Lounge - Off Topic' started by mad_maxx, Jan 24, 2008.

  1. mad_maxx

    mad_maxx Bit Poster

    Hi there,

    Currently having a debate with my employer. We have some legacy and bespoke applications which fail to work without admin rights or appropriate perms being set on the file system.

    The obvious and rational fix for this is to find out the areas of the file system required by the apps and alter the perms on the respective directories, however my employers intention to resolve this is to give users admin rights.

    They asked me if this was the correct approach, and I advised them that it may be easier and cheaper, but still a dirty fix which will compromise work station security.

    They then came back to me and said that altering the file perms was a dirty fix and that admin rights were the way to go. I was lost for words....... which leads to the leading question... what vulnerabilties will giving local users admin rights bring?

    Things I can think of

    *Users being able to browse each others profiles
    *No control over software installations
    *Gives users the capability of installing keyloggers etc as system services
    *Users will have access to browse admin shares on other desktops.

    What other vulnerabilities will this bring?


    Certifications: MCSE:Messaging
  2. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    Yep, giving the user local admin rights does compromise integrity. If at all possible, I'd avoid giving it to them. However, some apps are so poorly coded that they won't run correctly unless the user has local admin rights. I'd recommend working with those app vendors to come up with a secure, workable solution.
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  3. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    It depends on what the users are like. I support some networks where all the users are local admins (same reason as you) and the network runs fine. No extra software has been installed and no-one does anything that causes concern.

    On the other hand I have had to lock down some networks as the users just abuse the net and download all sorts of crap. I thought people were meant to work when they are at work?

    Is it an option to give users admin rights just now to keep things running and then work out what you need to modify without giving users admin rights. You can roll out these changes later. 8)
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  4. sunn

    sunn Gigabyte Poster

    I’m not a Windows expert, but is this Admin rights on a local machine or on the domain? My biggest issue is giving users unnecessary ability to compromise systems. The biggest security threat is the internal worker that maliciously or accidentally compromised the core system(s).
  5. Theprof

    Theprof Petabyte Poster Forum Leader

    What I do at work is create a another folder on c: call it what it is you want. Install the necessary apps the users use into that folder so you're avoiding tampering with the program files folder permissions. Give the necessary rights to that folder you created. I never ever give out local admin rights to anyone unless its an extreme case where I do have some users who VP or in management and need to have certain access to install applications and do other stuff and even this is just local admin rights, so if the users wants to screw something up he will most likely effect only his pc and not the network.

    Also I almost never have any issues with assigning permissions. There are always ways such as giving permissions at the registry level or at a folder level. What I also do is when I install a new application I run it as my self once so that it writes the necessary files to the registry or other locations so that when the users logs on and launches the application it runs without asking for write permissions or anything like that. This is not always the case but it does happen once in a while.
    Certifications: A+ | CCA | CCAA | Network+ | MCDST | MCSA | MCP (270, 271, 272, 290, 291) | MCTS (70-662, 70-663) | MCITP:EMA | VCA-DCV/Cloud/WM | VTSP | VCP5-DT | VCP5-DCV

Share This Page