RE: Local User account selection

Tue, 04 Sep 2001 08:53:05 -0700 

One of the basic rules of security is to never give anyone more access than
they need.  Take a look at some SANS information.  Look at any of the
Microsoft white papers on security and they all tell you not to turn on any
services that you don't need and don't give service accounts more privileges
than they need.  The more privileges you have to start with the easier it is
to increase your privileges.  

As an example, if you have local admin rights you can replace or modify any
file that resides locally on your machine.  If you replace a file such as
explorer.exe with a program that looks at the logged in user and checks
their rights to see if they are domain admin then does something if they
are, all you have to do is convince someone with admin rights to log in to
your machine to gain domain admin rights for yourself.

Disclaimer: This is the current user's personal opinion and is not made
on behalf of my employer.


-----Original Message-----
From: Correa, Andre [mailto:[EMAIL PROTECTED]]
Sent: Saturday, September 01, 2001 4:09 PM
To: NT System Admin Issues
Subject: RE: Local User account selection


Keeping domain users from being local administrators is a security issue.  I
am not sure whether you are going to find any whitepapers that discuss this,
but IMHO giving users local administrative privilege creates more problems
than it solves.  End users can do nearly everything having regular
permissions.

I would basically detail all of this in a memo, and give them a couple of
scenarios, and show what could happen if they had local admin privilege, and
then what will happen if they don't.

HTH

____________________________________________
Andre Correa
Senior Manager/Information Technology
Lexitron, Inc
(201) 892-6399

 -----Original Message-----
From:   Greg Marcom [mailto:[EMAIL PROTECTED]]
Sent:   Thursday, August 30, 2001 1:22 PM
To:     NT System Admin Issues
Subject:        Local User account selection

I need to find a list or article that details why a domain user should not
be part of the local admininstrator group.  I have been telling these
people that it is not safe, and it is wrong.  But I can't find anywhere on
paper that I can show them.  Does anyone have any suggestions?

Greg Marcom
[EMAIL PROTECTED]

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm



http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

Reply via email to