[unisog] User rights

Gary Flynn flynngn at jmu.edu
Fri Jun 30 03:20:36 GMT 2006


I Freecycle wrote:

>Hello,
>
>I'm wondering how others deal with allowing users rights on work computers.
>
>At our school, users aren't normally given Administrator or Power User
>rights unless it's absolutely necessary. Occasionally we
>encounter employees and students that don't understand how easily a
>system can be messed up and the security issues involved nor why we
>feel it's necessary to operate like this.
>
>I would like to know what others do, and what policies they have in
>place to address these issues.
>
>Thanks.
>  
>
All of our IT Technical Services department desktop machines
have been recently set up to use non-admin accounts per policy
as well as the desktops of several pilot administrative departments.
We're actively encouraging it across campus and pursuing
implementing it on as many desktops as we are able.

The computers are set up with administrative and user accounts
with the user accounts to be used for day to day use. We do
not presently, nor have any plans to keep people from knowing
the administrative password. It is left up to personal responsibility
and professionalism at this time.

Don't let the occasional exception or problem keep you from
protecting the vast majority of desktops that can be successfully
operated and protected this way.

Even if malware changes to take advantage of the what limited
opportunities are available from regular user accounts, it won't be
able to install rootkits, won't be able to disable firewalls, won't
be able to stop updates, won't be able to effectively hide
itself, won't be able to modify the DNS hosts file, won't be
able to install browser helper objects, and won't be able to
install common keyboard loggers. (assuming no local defects to
exploit for privilege elevation).

I don't believe the risk reduction from changing from administrator
to power user accounts is worth the change. It won't stop most
infections. It allows writing to the registry startup sections and
other critical system areas. It provides pathways to elevate privileges.

There is lots of information about non-admin accounts at:

http://nonadmin.editme.com/
http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/TableOfContents.aspx
http://support.microsoft.com/default.aspx?scid=kb;en-us;307091

Gary Flynn
Security Engineer
James Madison University


More information about the unisog mailing list