You're getting the hang of this... :) * *
*ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Wed, Sep 19, 2012 at 9:58 AM, James Rankin <[email protected]> wrote: > I just did a blog post regarding user rights elevation - obviously there's > loads of different ways to do this, just thought it was fairly relevant to > the discussion (or it's just shameless self-promotion, take your pick) :-) > > > http://appsensebigot.blogspot.co.uk/2012/09/using-appsense-application-manager-user.html > > > On 19 September 2012 14:55, Kennedy, Jim <[email protected]>wrote: > >> BTW, I like where your response was coming from. It is the same tact I >> took. We will make it work the way the users *need *it to without them >> having admin rights. And then I delivered on that promise.**** >> >> ** ** >> >> *From:* David Lum [mailto:[email protected]] >> *Sent:* Wednesday, September 19, 2012 9:48 AM >> >> *To:* NT System Admin Issues >> *Subject:* RE: This is what I get....**** >> >> ** ** >> >> +1**** >> >> ** ** >> >> After this reply to my coworker, I started working on exactly this. Since >> we are basically a SaaS shop, our exec’s have a habit of focusing only on >> client-side IT issues/development and employee-facing IT is scarcely on any >> C-level’s radar. I am also guessing this is not unusual for this type of >> company…**** >> >> ** ** >> >> Dave**** >> >> ** ** >> >> *From:* Ken Schaefer [mailto:[email protected]] >> *Sent:* Tuesday, September 18, 2012 7:43 PM >> *To:* NT System Admin Issues >> *Subject:* RE: This is what I get....**** >> >> ** ** >> >> IMHO this is just wasting your time, and could potentially backfire.**** >> >> ** ** >> >> Write a business case instead, backed by actual figures/facts, and it >> needs to go up the chain to management.**** >> >> ** ** >> >> Making major changes to how a business works is *not* the job of IT >> (except in the smallest of organisations), and IT trying to enforce >> something like this just makes IT a target for end-user frustration. It * >> will* make your job harder in future.**** >> >> ** ** >> >> Instead, business operations really is the job of the COO (or CIO, or >> even the business enterprise architect – if you have one). Get them to make >> an informed decision, and enforce it down the chain of management. That’s >> what they are paid to do.**** >> >> ** ** >> >> Cheers**** >> >> Ken**** >> >> ** ** >> >> *From:* David Lum [mailto:[email protected]] >> *Sent:* Wednesday, 19 September 2012 12:47 AM >> *To:* NT System Admin Issues >> *Subject:* RE: This is what I get....**** >> >> ** ** >> >> After I cooled off, I gave him this reply:**** >> >> ** ** >> >> Clearly you’ve never tried to not make them local admins. Give me two of >> where a typical employee (this mean not developers) , and I’ll give you two >> examples of how it can be accomplished WITHOUT them being local admin…*** >> * >> >> ** ** >> >> ** ** >> >> *From:* Jonathan Link [mailto:[email protected]] >> *Sent:* Tuesday, September 18, 2012 7:30 AM >> *To:* NT System Admin Issues >> *Subject:* Re: This is what I get....**** >> >> ** ** >> >> Are those calls documented? And what was the nature of the call?**** >> >> ** ** >> >> After the initial transition, this will actually make admin's lives >> easier, since they have a more controlled environment to work in.**** >> >> ** ** >> >> Yeah, some things are easier when they have admin rights, but that >> doesn't mean that users should be doing those things, either.**** >> >> On Tue, Sep 18, 2012 at 10:22 AM, David Lum <[email protected]> wrote:** >> ** >> >> Here’s how much fight I get when I even SUGGEST we should be removing >> admin right from our users.**** >> >> **** >> >> Worthy to note I am not a local admin on my own NWEA machine, and none >> of my %sidejob% clients are local admins on theirs. This guy knows this, >> but still fights me every time.**** >> >> **** >> >> This reply incensed me enough to start again working on the management >> buy-in, as it’s a lot harder to stop a top down order.**** >> >> **** >> >> >> *Sent:* Tuesday, September 18, 2012 6:35 AM >> *To:* David Lum >> *Subject:* RE: IE 0-day, MS releases bulletin**** >> >> **** >> >> We have this very rare instance of a Zero Day attack in IE for a few >> sites and you think that is a reason to create the complete nightmare of >> taking away Admin rights to a local machine. Clearly you don’t know how >> often our users are using their admin rights on their machines. The SD >> got a call once a week from the ONE person who had that setup when she was >> moved to Windows 7. If we spent some time building the infrastructure >> that makes such a situation workable (like I did at the school district I >> worked at), then we could live with our 500 users not being admins.**** >> >> **** >> >> David Grand**** >> >> **** >> >> *From:* David Lum >> *Sent:* Tuesday, September 18, 2012 6:24 AM >> *Subject:* IE 0-day, MS releases bulletin**** >> >> **** >> >> Please read this article and weigh in on the suggested workarounds.**** >> >> **** >> >> Microsoft has released a bulletin on this, and has suggested workarounds. >> Most can be achieved via GPO:**** >> >> http://technet.microsoft.com/en-us/security/advisory/2757760**** >> >> **** >> >> Note 1: “An attacker who successfully exploited this vulnerability could >> gain the same user rights as the current user. Users whose accounts are >> configured to have fewer user rights on the system could be less impacted >> than users who operate with administrative user rights.”**** >> >> *SD – this exact scenario is the benefit of users not being local >> administrators.***** >> >> **** >> >> Note 2: Some of this is already done via the Trusted Site GPO. Their >> additional recommendations recommend disabling ActiveX for Internet and >> Local Intranet. The latter would disable some Commons functionality, but we >> can disable it on the Internet site zone temporarily. Even this will >> generate Service Desk calls but I feel this is worth mitigating the risk. >> **** >> >> **** >> >> Dave**** >> >> **** >> >> *From:* David Lum >> *Sent:* Monday, September 17, 2012 12:39 PM >> *Subject:* Just so you know that I know..**** >> >> **** >> >> 0-day of the week:**** >> >> **** >> >> >> http://www.computerworld.com/s/article/9231367/Hackers_exploit_new_IE_zero_day_vulnerability?source=rss_latest_content&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+computerworld%2Fnews%2Ffeed+%28Latest+from+Computerworld%29 >> **** >> >> **** >> >> Dave**** >> >> **** >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
