I hear you. I have exactly the same battle at this end, but it focuses on the problems with legacy apps that don't play well under Win7.
It's incredible how much people fight this - but it's mostly about their egos. They want the shred of illusion that they know what they are doing and are responsible computing/corporate citizens, when in reality they are dangerous buffoons who are putting the organization at risk. Kurt On Tue, Sep 18, 2012 at 7:22 AM, David Lum <[email protected]> wrote: > Here’s how much fight I get when I even SUGGEST we should be removing admin > right from our users. > > > > Worthy to note I am not a local admin on my own NWEA machine, and none of > my %sidejob% clients are local admins on theirs. This guy knows this, but > still fights me every time. > > > > This reply incensed me enough to start again working on the management > buy-in, as it’s a lot harder to stop a top down order. > > > > > Sent: Tuesday, September 18, 2012 6:35 AM > To: David Lum > Subject: RE: IE 0-day, MS releases bulletin > > > > We have this very rare instance of a Zero Day attack in IE for a few sites > and you think that is a reason to create the complete nightmare of taking > away Admin rights to a local machine. Clearly you don’t know how often our > users are using their admin rights on their machines. The SD got a call > once a week from the ONE person who had that setup when she was moved to > Windows 7. If we spent some time building the infrastructure that makes > such a situation workable (like I did at the school district I worked at), > then we could live with our 500 users not being admins. > > > > David Grand > > > > From: David Lum > Sent: Tuesday, September 18, 2012 6:24 AM > Subject: IE 0-day, MS releases bulletin > > > > Please read this article and weigh in on the suggested workarounds. > > > > Microsoft has released a bulletin on this, and has suggested workarounds. > Most can be achieved via GPO: > > http://technet.microsoft.com/en-us/security/advisory/2757760 > > > > Note 1: “An attacker who successfully exploited this vulnerability could > gain the same user rights as the current user. Users whose accounts are > configured to have fewer user rights on the system could be less impacted > than users who operate with administrative user rights.” > > SD – this exact scenario is the benefit of users not being local > administrators. > > > > Note 2: Some of this is already done via the Trusted Site GPO. Their > additional recommendations recommend disabling ActiveX for Internet and > Local Intranet. The latter would disable some Commons functionality, but we > can disable it on the Internet site zone temporarily. Even this will > generate Service Desk calls but I feel this is worth mitigating the risk. > > > > Dave > > > > From: David Lum > Sent: Monday, September 17, 2012 12:39 PM > Subject: Just so you know that I know.. > > > > 0-day of the week: > > > > http://www.computerworld.com/s/article/9231367/Hackers_exploit_new_IE_zero_day_vulnerability?source=rss_latest_content&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+computerworld%2Fnews%2Ffeed+%28Latest+from+Computerworld%29 > > > > Dave > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
