Regmon and Filemon are very useful tools - among others you can find at
www.sysinternals.com. E.g. you can run filemon and then run your
application. Filemon will show you what files your application is trying
to read/write to and if it is successful or not (access denied). Regmon
will do the same for registry (e.g. show you access denied or what
operation is being performed by the application). After you have these
results you can grant permissions to user to these files or parts of
registry that application is trying to read/write to.
You can download them from here:
http://www.sysinternals.com/Utilities/Filemon.html
http://www.sysinternals.com/Utilities/Regmon.html
I also recommend you to check out other tools at www.sysinternals.com
Mike
-----Original Message-----
From: Tom Milliner [mailto:tomm (at) dfwrealtors (dot) com [email concealed]]
Sent: Friday, July 28, 2006 5:40 AM
To: 'McLaurin, Timothy'; 'Jon R. Kibler'; focus-ms (at) securityfocus (dot) com [email concealed]
Cc: 'Drew Simonis'
Subject: RE: Impact of removing administrative rights in an enterprise
running XP
If it is not too much trouble: what are Filemon, Regmon, and SetACL?
Tom Milliner, CPA, MCSE
2404 Summer Place Dr.
Irving, TX 75062
(972) 255-6308
tom.milliner (at) verizon (dot) net [email concealed]
-----Original Message-----
From: McLaurin, Timothy [mailto:tMcLaurin (at) citi-us (dot) com [email concealed]]
Sent: Thursday, July 27, 2006 3:50 PM
To: Jon R. Kibler; focus-ms (at) securityfocus (dot) com [email concealed]
Cc: Drew Simonis
Subject: RE: Impact of removing administrative rights in an enterprise
running XP
I've done it for about 2,000 users and it was brutal. The technical
aspects of it was bad but even worse were the political. People can't
get used to the idea of not being able to do what they want when they
want. Especially the executive types. And we still gave them admin
accounts, they just had to use Run As... Support isn't all that easy
too because we had no idea who had what, and what was essential for
their job function. There are all kinds of stupid applications that
call for admin rights and once they are taken away it doesn't work
anymore. Filemon, Regmon, and SetACL were a staple during that time
period.
-----Original Message-----
From: Jon R. Kibler [mailto:Jon.Kibler (at) aset (dot) com [email concealed]]
Sent: Thursday, July 27, 2006 11:09 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Cc: Drew Simonis
Subject: Re: Impact of removing administrative rights in an enterprise
running XP
Drew Simonis wrote:
> Hello all,
> I wonder if anyone on the list who might work for a good sized
enterprise (10,000+ seats) has gone through the excercise of removing
administrative rights from the user community?
>
> Aside from the effort to inventory all applications and ensure that
they work with restricted permissions, I forsee that such an effort
would likely require changes to the entire support model. Instead of
relying on users to install their own software, it would need to be done
for them. New hardware would require intevention, etc.
>
> If someone has completed this, was support a major new burden, or was
it not as difficult as it might be? If it was, how much of a burden was
it (+ desktop support headcount? +helpdesk calls?)?
>
> -Ds
Drew,
Have not done it in as large of an organization as you indicate, but
have TRIED to do it in smaller organizations -- and ran into MANY brick
walls. It is still a work-in-progress! Things are better, but we're not
there yet by any stretch at any organization that I am working with.
The primary issue is that A LOT of applications assume/require
administrative privilege to work. In reality, you can probably get
many/most to run with less than admin priv, but figuring out what is the
minimum required is not an easy task. And don't expect the application
vendor to be any help either!
Trying to remove local admin priv is a trial-and-error process. A lot of
apps will work most of the time, then one seldom-used feature breaks it.
You would be surprised the apps that require privilege to run... many
big name ones, such as the Intuit product line. There was a discussion
on DShield a few months back on this topic, and several people named
names of applications with privilege problems (but nothing close to
scratching the surface!).
Good luck.
Oh, BTW, as you try this task, publishing a list of the required minimum
privilege for each application would be a great help to everyone. I
wanted to do that, but my clients all objected.
Jon
--
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
(843) 849-8214
==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
Regmon and Filemon are very useful tools - among others you can find at
www.sysinternals.com. E.g. you can run filemon and then run your
application. Filemon will show you what files your application is trying
to read/write to and if it is successful or not (access denied). Regmon
will do the same for registry (e.g. show you access denied or what
operation is being performed by the application). After you have these
results you can grant permissions to user to these files or parts of
registry that application is trying to read/write to.
You can download them from here:
http://www.sysinternals.com/Utilities/Filemon.html
http://www.sysinternals.com/Utilities/Regmon.html
I also recommend you to check out other tools at www.sysinternals.com
Mike
-----Original Message-----
From: Tom Milliner [mailto:tomm (at) dfwrealtors (dot) com [email concealed]]
Sent: Friday, July 28, 2006 5:40 AM
To: 'McLaurin, Timothy'; 'Jon R. Kibler'; focus-ms (at) securityfocus (dot) com [email concealed]
Cc: 'Drew Simonis'
Subject: RE: Impact of removing administrative rights in an enterprise
running XP
If it is not too much trouble: what are Filemon, Regmon, and SetACL?
Tom Milliner, CPA, MCSE
2404 Summer Place Dr.
Irving, TX 75062
(972) 255-6308
tom.milliner (at) verizon (dot) net [email concealed]
-----Original Message-----
From: McLaurin, Timothy [mailto:tMcLaurin (at) citi-us (dot) com [email concealed]]
Sent: Thursday, July 27, 2006 3:50 PM
To: Jon R. Kibler; focus-ms (at) securityfocus (dot) com [email concealed]
Cc: Drew Simonis
Subject: RE: Impact of removing administrative rights in an enterprise
running XP
I've done it for about 2,000 users and it was brutal. The technical
aspects of it was bad but even worse were the political. People can't
get used to the idea of not being able to do what they want when they
want. Especially the executive types. And we still gave them admin
accounts, they just had to use Run As... Support isn't all that easy
too because we had no idea who had what, and what was essential for
their job function. There are all kinds of stupid applications that
call for admin rights and once they are taken away it doesn't work
anymore. Filemon, Regmon, and SetACL were a staple during that time
period.
-----Original Message-----
From: Jon R. Kibler [mailto:Jon.Kibler (at) aset (dot) com [email concealed]]
Sent: Thursday, July 27, 2006 11:09 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Cc: Drew Simonis
Subject: Re: Impact of removing administrative rights in an enterprise
running XP
Drew Simonis wrote:
> Hello all,
> I wonder if anyone on the list who might work for a good sized
enterprise (10,000+ seats) has gone through the excercise of removing
administrative rights from the user community?
>
> Aside from the effort to inventory all applications and ensure that
they work with restricted permissions, I forsee that such an effort
would likely require changes to the entire support model. Instead of
relying on users to install their own software, it would need to be done
for them. New hardware would require intevention, etc.
>
> If someone has completed this, was support a major new burden, or was
it not as difficult as it might be? If it was, how much of a burden was
it (+ desktop support headcount? +helpdesk calls?)?
>
> -Ds
Drew,
Have not done it in as large of an organization as you indicate, but
have TRIED to do it in smaller organizations -- and ran into MANY brick
walls. It is still a work-in-progress! Things are better, but we're not
there yet by any stretch at any organization that I am working with.
The primary issue is that A LOT of applications assume/require
administrative privilege to work. In reality, you can probably get
many/most to run with less than admin priv, but figuring out what is the
minimum required is not an easy task. And don't expect the application
vendor to be any help either!
Trying to remove local admin priv is a trial-and-error process. A lot of
apps will work most of the time, then one seldom-used feature breaks it.
You would be surprised the apps that require privilege to run... many
big name ones, such as the Intuit product line. There was a discussion
on DShield a few months back on this topic, and several people named
names of applications with privilege problems (but nothing close to
scratching the surface!).
Good luck.
Oh, BTW, as you try this task, publishing a list of the required minimum
privilege for each application would be a great help to everyone. I
wanted to do that, but my clients all objected.
Jon
--
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
(843) 849-8214
==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]