For those programs that must run as admin, can you please post to the
nomination list? All nominations are confidential and I don't need a
name or a firm, but I would like to point out these applications that
demand administrator rights. Too many of financial programs need admin
rights.
Intuit's upcoming Quickbooks 2007 is supposed to not need admin rights.
It will be the first one to do so. All prior versions need reg
hacking... however they now have come out on record with the necessarily
reg hacks to support non admin.
The definitive resource/blog to watch for Non admin is Aaron's blog:
http://blogs.msdn.com/aaron_margosis/
Laptops are the hardest to make nonadmin... make sure you make them at
least members of the network operators group so they can adjust nic stuff.
(and wondering? Why did your clients object? Because I'd love to host a
project like that .. I'll make a new section on how to non-admin apps
just for that!)
Now keep in mind that as MS just bought Sysinternals.. the two tools for
non-admin-ing, filemon and regmon have a new eula that states we can
only use them for testing and evaluation.
Jon R. Kibler wrote:
> Drew Simonis wrote:
>
>> Hello all,
>> I wonder if anyone on the list who might work for a good sized
>> enterprise (10,000+ seats) has gone through the excercise of removing
>> administrative rights from the user community?
>>
>> Aside from the effort to inventory all applications and ensure that
>> they work with restricted permissions, I forsee that such an effort
>> would likely require changes to the entire support model. Instead of
>> relying on users to install their own software, it would need to be
>> done for them. New hardware would require intevention, etc.
>>
>> If someone has completed this, was support a major new burden, or was
>> it not as difficult as it might be? If it was, how much of a burden
>> was it (+ desktop support headcount? +helpdesk calls?)?
>>
>> -Ds
>
>
> Drew,
>
> Have not done it in as large of an organization as you indicate, but
> have TRIED to do it in smaller organizations -- and ran into MANY
> brick walls. It is still a work-in-progress! Things are better, but
> we're not there yet by any stretch at any organization that I am
> working with.
>
> The primary issue is that A LOT of applications assume/require
> administrative privilege to work. In reality, you can probably get
> many/most to run with less than admin priv, but figuring out what is
> the minimum required is not an easy task. And don't expect the
> application vendor to be any help either!
>
> Trying to remove local admin priv is a trial-and-error process. A lot
> of apps will work most of the time, then one seldom-used feature
> breaks it.
>
> You would be surprised the apps that require privilege to run... many
> big name ones, such as the Intuit product line. There was a discussion
> on DShield a few months back on this topic, and several people named
> names of applications with privilege problems (but nothing close to
> scratching the surface!).
>
> Good luck.
>
> Oh, BTW, as you try this task, publishing a list of the required
> minimum privilege for each application would be a great help to
> everyone. I wanted to do that, but my clients all objected.
>
> Jon
>
>-----------------------------------------------------------------------
-
>
>-----------------------------------------------------------------------
----
>-----------------------------------------------------------------------
----
>
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down...
http://blogs.technet.com/sbs
www.threatcode.com
For those programs that must run as admin, can you please post to the
nomination list? All nominations are confidential and I don't need a
name or a firm, but I would like to point out these applications that
demand administrator rights. Too many of financial programs need admin
rights.
Intuit's upcoming Quickbooks 2007 is supposed to not need admin rights.
It will be the first one to do so. All prior versions need reg
hacking... however they now have come out on record with the necessarily
reg hacks to support non admin.
The definitive resource/blog to watch for Non admin is Aaron's blog:
http://blogs.msdn.com/aaron_margosis/
Laptops are the hardest to make nonadmin... make sure you make them at
least members of the network operators group so they can adjust nic stuff.
(and wondering? Why did your clients object? Because I'd love to host a
project like that .. I'll make a new section on how to non-admin apps
just for that!)
Now keep in mind that as MS just bought Sysinternals.. the two tools for
non-admin-ing, filemon and regmon have a new eula that states we can
only use them for testing and evaluation.
Jon R. Kibler wrote:
> Drew Simonis wrote:
>
>> Hello all,
>> I wonder if anyone on the list who might work for a good sized
>> enterprise (10,000+ seats) has gone through the excercise of removing
>> administrative rights from the user community?
>>
>> Aside from the effort to inventory all applications and ensure that
>> they work with restricted permissions, I forsee that such an effort
>> would likely require changes to the entire support model. Instead of
>> relying on users to install their own software, it would need to be
>> done for them. New hardware would require intevention, etc.
>>
>> If someone has completed this, was support a major new burden, or was
>> it not as difficult as it might be? If it was, how much of a burden
>> was it (+ desktop support headcount? +helpdesk calls?)?
>>
>> -Ds
>
>
> Drew,
>
> Have not done it in as large of an organization as you indicate, but
> have TRIED to do it in smaller organizations -- and ran into MANY
> brick walls. It is still a work-in-progress! Things are better, but
> we're not there yet by any stretch at any organization that I am
> working with.
>
> The primary issue is that A LOT of applications assume/require
> administrative privilege to work. In reality, you can probably get
> many/most to run with less than admin priv, but figuring out what is
> the minimum required is not an easy task. And don't expect the
> application vendor to be any help either!
>
> Trying to remove local admin priv is a trial-and-error process. A lot
> of apps will work most of the time, then one seldom-used feature
> breaks it.
>
> You would be surprised the apps that require privilege to run... many
> big name ones, such as the Intuit product line. There was a discussion
> on DShield a few months back on this topic, and several people named
> names of applications with privilege problems (but nothing close to
> scratching the surface!).
>
> Good luck.
>
> Oh, BTW, as you try this task, publishing a list of the required
> minimum privilege for each application would be a great help to
> everyone. I wanted to do that, but my clients all objected.
>
> Jon
>
>-----------------------------------------------------------------------
-
>
>-----------------------------------------------------------------------
----
>-----------------------------------------------------------------------
----
>
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down...
http://blogs.technet.com/sbs
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]