Work Issue...... Am I going mad???

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi there,

Currently having a debate with my employer. We have some legacy and bespoke applications which fail to work without admin rights or appropriate perms being set on the file system.

The obvious and rational fix for this is to find out the areas of the file system required by the apps and alter the perms on the respective directories, however my employers intention to resolve this is to give users admin rights.

They asked me if this was the correct approach, and I advised them that it may be easier and cheaper, but still a dirty fix which will compromise work station security.

They then came back to me and said that altering the file perms was a dirty fix and that admin rights were the way to go. I was lost for words....... which leads to the leading question... what vulnerabilties will giving local users admin rights bring?

Things I can think of

*Users being able to browse each others profiles
*No control over software installations
*Gives users the capability of installing keyloggers etc as system services
*Users will have access to browse admin shares on other desktops.

What other vulnerabilities will this bring?

Cheers

MaX

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Yep, giving the user local admin rights does compromise integrity. If at all possible, I'd avoid giving it to them. However, some apps are so poorly coded that they won't run correctly unless the user has local admin rights. I'd recommend working with those app vendors to come up with a secure, workable solution.

 

I’m not a Windows expert, but is this Admin rights on a local machine or on the domain? My biggest issue is giving users unnecessary ability to compromise systems. The biggest security threat is the internal worker that maliciously or accidentally compromised the core system(s).

 

What I do at work is create a another folder on c: call it what it is you want. Install the necessary apps the users use into that folder so you're avoiding tampering with the program files folder permissions. Give the necessary rights to that folder you created. I never ever give out local admin rights to anyone unless its an extreme case where I do have some users who VP or in management and need to have certain access to install applications and do other stuff and even this is just local admin rights, so if the users wants to screw something up he will most likely effect only his pc and not the network.

Also I almost never have any issues with assigning permissions. There are always ways such as giving permissions at the registry level or at a folder level. What I also do is when I install a new application I run it as my self once so that it writes the necessary files to the registry or other locations so that when the users logs on and launches the application it runs without asking for write permissions or anything like that. This is not always the case but it does happen once in a while.