Drew Simonis wrote:
Hello all,
I wonder if anyone on the list who might work for a good sized enterprise
(10,000+ seats) has gone through the excercise of removing administrative
rights from the user community?
Aside from the effort to inventory all applications and ensure that they work
with restricted permissions, I forsee that such an effort would likely require
changes to the entire support model. Instead of relying on users to install
their own software, it would need to be done for them. New hardware would
require intevention, etc.
If someone has completed this, was support a major new burden, or was it not as
difficult as it might be? If it was, how much of a burden was it (+ desktop
support headcount? +helpdesk calls?)?
-Ds
Drew,
Have not done it in as large of an organization as you indicate, but have TRIED
to do it in smaller organizations -- and ran into MANY brick walls. It is still
a work-in-progress! Things are better, but we're not there yet by any stretch
at any organization that I am working with.
The primary issue is that A LOT of applications assume/require administrative
privilege to work. In reality, you can probably get many/most to run with less
than admin priv, but figuring out what is the minimum required is not an easy
task. And don't expect the application vendor to be any help either!
Trying to remove local admin priv is a trial-and-error process. A lot of apps
will work most of the time, then one seldom-used feature breaks it.
You would be surprised the apps that require privilege to run... many big name
ones, such as the Intuit product line. There was a discussion on DShield a few
months back on this topic, and several people named names of applications with
privilege problems (but nothing close to scratching the surface!).
Good luck.
Oh, BTW, as you try this task, publishing a list of the required minimum
privilege for each application would be a great help to everyone. I wanted to
do that, but my clients all objected.
Jon
--
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
(843) 849-8214
==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
