For anybody wanting to address applications and their need/lack thereof for
admin rights on machines, I highly recommend taking a look at the
Application Compatibility Toolkit.
http://www.microsoft.com/technet/desktopdeployment/appcompat/toolkit.msp
x
You can save yourself a lot of work and time with it.
Laura
> -----Original Message-----
> From: Jon R. Kibler [mailto:Jon.Kibler (at) aset (dot) com [email concealed]]
> Sent: Thursday, July 27, 2006 11:09 AM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Cc: Drew Simonis
> Subject: Re: Impact of removing administrative rights in an
> enterprise running XP
>
> Drew Simonis wrote:
> > Hello all,
> > I wonder if anyone on the list who might work for a good
> sized enterprise (10,000+ seats) has gone through the
> excercise of removing administrative rights from the user community?
> >
> > Aside from the effort to inventory all applications and
> ensure that they work with restricted permissions, I forsee
> that such an effort would likely require changes to the
> entire support model. Instead of relying on users to install
> their own software, it would need to be done for them. New
> hardware would require intevention, etc.
> >
> > If someone has completed this, was support a major new
> burden, or was it not as difficult as it might be? If it
> was, how much of a burden was it (+ desktop support
> headcount? +helpdesk calls?)?
> >
> > -Ds
>
> Drew,
>
> Have not done it in as large of an organization as you
> indicate, but have TRIED to do it in smaller organizations --
> and ran into MANY brick walls. It is still a
> work-in-progress! Things are better, but we're not there yet
> by any stretch at any organization that I am working with.
>
> The primary issue is that A LOT of applications
> assume/require administrative privilege to work. In reality,
> you can probably get many/most to run with less than admin
> priv, but figuring out what is the minimum required is not an
> easy task. And don't expect the application vendor to be any
> help either!
>
> Trying to remove local admin priv is a trial-and-error
> process. A lot of apps will work most of the time, then one
> seldom-used feature breaks it.
>
> You would be surprised the apps that require privilege to
> run... many big name ones, such as the Intuit product line.
> There was a discussion on DShield a few months back on this
> topic, and several people named names of applications with
> privilege problems (but nothing close to scratching the surface!).
>
> Good luck.
>
> Oh, BTW, as you try this task, publishing a list of the
> required minimum privilege for each application would be a
> great help to everyone. I wanted to do that, but my clients
> all objected.
>
> Jon
> --
> Jon R. Kibler
> Chief Technical Officer
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC USA
> (843) 849-8214
>
>
>
>
>
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.
>
>
>
admin rights on machines, I highly recommend taking a look at the
Application Compatibility Toolkit.
http://www.microsoft.com/technet/desktopdeployment/appcompat/toolkit.msp
x
You can save yourself a lot of work and time with it.
Laura
> -----Original Message-----
> From: Jon R. Kibler [mailto:Jon.Kibler (at) aset (dot) com [email concealed]]
> Sent: Thursday, July 27, 2006 11:09 AM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Cc: Drew Simonis
> Subject: Re: Impact of removing administrative rights in an
> enterprise running XP
>
> Drew Simonis wrote:
> > Hello all,
> > I wonder if anyone on the list who might work for a good
> sized enterprise (10,000+ seats) has gone through the
> excercise of removing administrative rights from the user community?
> >
> > Aside from the effort to inventory all applications and
> ensure that they work with restricted permissions, I forsee
> that such an effort would likely require changes to the
> entire support model. Instead of relying on users to install
> their own software, it would need to be done for them. New
> hardware would require intevention, etc.
> >
> > If someone has completed this, was support a major new
> burden, or was it not as difficult as it might be? If it
> was, how much of a burden was it (+ desktop support
> headcount? +helpdesk calls?)?
> >
> > -Ds
>
> Drew,
>
> Have not done it in as large of an organization as you
> indicate, but have TRIED to do it in smaller organizations --
> and ran into MANY brick walls. It is still a
> work-in-progress! Things are better, but we're not there yet
> by any stretch at any organization that I am working with.
>
> The primary issue is that A LOT of applications
> assume/require administrative privilege to work. In reality,
> you can probably get many/most to run with less than admin
> priv, but figuring out what is the minimum required is not an
> easy task. And don't expect the application vendor to be any
> help either!
>
> Trying to remove local admin priv is a trial-and-error
> process. A lot of apps will work most of the time, then one
> seldom-used feature breaks it.
>
> You would be surprised the apps that require privilege to
> run... many big name ones, such as the Intuit product line.
> There was a discussion on DShield a few months back on this
> topic, and several people named names of applications with
> privilege problems (but nothing close to scratching the surface!).
>
> Good luck.
>
> Oh, BTW, as you try this task, publishing a list of the
> required minimum privilege for each application would be a
> great help to everyone. I wanted to do that, but my clients
> all objected.
>
> Jon
> --
> Jon R. Kibler
> Chief Technical Officer
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC USA
> (843) 849-8214
>
>
>
>
>
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.
>
>
>
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]