Local Admin & passwords

Application security
Digital certificates
Disaster Recovery
Identity & Access Management
Incident response
Instant Messaging
Intrusion management
Microsoft Exchange
Network security
PEN testing
Platform Security
Risk management
Secure Coding
Security Program Management
Security tokens
Single sign-on
vulnerability management
We have recently switched to allowing only Power User rights on notebook computers. We have a set of notebooks we loan out to employees with desktops when they need to travel. Currently those users will login with an account named loaner and use scripts and webmail to access the network. Discussion has come up recently that those accounts should have local admin rights and that we should change the admin rights on the local machine in case a user is stuck at a remote location and needs the rights. Any thoughts on the correct way to handle this? My thought is to keep the power user rights and not give anyone a local admin password to any machine. My management seems to feel different on the matter and wants me to provide some materials to back my thoughts.

Answer Wiki

Thanks. We'll let you know when a new response is added.

This question can be boiled down to this:

Is it costing you enough man-hours in support (because such and such user doesn’t have the right to so and so) to justify giving the users higher rights?

For me, this almost always seems to be the case. Unless the user is only supposed to be accessing 3 applications and a text file on the machine, assigning local admin rights (be it on a desktop or a laptop) almost always seems to solve more problems than it creates.

Realistically, you shouldn’t be giving them a user account with admin rights, but they should have access to an administrative account on that system should the need arise.

As a rule, I don’t trust laptops on my network when they’re locally connected anyway (because you never know what they might have brought in with them), and any connecting from the world are treated like any other machine connecting from the world (because you have no way of telling if it’s really that machine or not). The users of these systems should be taught the bare basics anyway: Never connect to the internet (or any other network) without a firewall, virus and spyware scan your system at least once a day if you’re in the world (usually set up as a scheduled task anyway), and don’t use the administrative account unless you have a good reson to do so.


Discuss This Question: 2  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Tsmitty
    I like the recent interpretation of your question. It comes down to time and available resources. I prefer the locked-down approach - helps me sleep better at night. You can't quite tell your management that of course. For me, it's about security risk as much as support time. Our laptops - most of which are desktop replacements - log on to our domain as as other clients do. So in order to protect our network we must also protect these users from themselves. That means not allowing them local admin. The risk of introducing viruses, spyware, and other forms of attack is simply too high in our case. The other side of it is of course users' ability to wreak havoc on their laptops. These needs to be contrasted with your travelling users' need to use hotel wi-fi, etc. Starwood, for example, is a real problem. Their wi-fi connection program is so badly designed that local admin is required - power user won't do the trick. For these cases we have seperate local accounts that have admin rights. It may mean a support call, but that in my mind is better than the alternative. Good luck!
    0 pointsBadges:
  • Roced4
    In response to your starwood issue have you tried to add the users Network Configuration Group? This seemed to help when our users would hit the road without giving them the full access. I know this group exist locally on XP, not sure if it was on 2000 (didn't think so). I guess what bothered me was that fellow workers were thinking the idea of giving the password out to users. I could see either adding the user to the group or not but giving out a password is a bad idea. Our users are almost never away from IT staff for more than a day so I really don't see why they could stick it out until they get to some IT support.
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: