You're reading too much in to my message. The issue is really exactly what I said -a group of people having unrestricted and untrackable access to other people's PCs. When a desktop tech comes by to fix my broken PC, I know he had physical access and that is tracked by our incident management system. But if he has local Administrator privileges on my PC, I have no idea when he may access my PC and no good way of tracking that he did. It almost doesn't matter what kind of data is on the PC. Also, privacy rules are different across the globe and often much stricter outside of the US.
Your idea of using separate accounts for privileged access rights is a good one and one we have already adopted. -Malcolm From: Webb, Brian (Corp) [mailto:[email protected]] Sent: Wednesday, March 04, 2009 2:23 PM To: NT System Admin Issues Subject: RE: Support techs remote access rights to user PCs Is the issue that you don't trust your desktop and application support techs? If so, you need to get some different techs. If the issue is that your users are putting stuff on their local hard drives that is sensitive, you need to re-train your users to put that data in secure areas. We generally don't care about techs (and even some users) having local admin rights as long as they are assigned to a different account that they aren't using as their primary login. Our techs do not surf the web or read e-mail when they are logged in with admin rights. They use RunAs or MakeMeAdmin to access their admin rights when needed. We also have an "admin terminal server" that you can log into with your admin account to run tasks that need admin rights. -Brian _____ From: Malcolm Reitz [mailto:[email protected]] Sent: Wednesday, March 04, 2009 11:44 AM To: NT System Admin Issues Subject: Support techs remote access rights to user PCs We are having an internal discussion on how to handle computer access rights for our application support and desktop support techs. Right now, certain techs are in an AD group which is in the local Administrators group on some PCs. This lets them resolve end-user issues by accessing the user PCs with Remote Desktop, Remote Registry, or simple connections to a share. However, it also means they can get to anything on the users' PCs and there is no auditable access tracking. So, we'd like to remove this access privilege and have the techs use other support methodologies, such as Remote Assistance, which requires the users to be aware of what's going on. There are cases, though, where the app support guys say they have to make batch updates to groups of PCs (such as to point them to a new license server) and they're balking at giving up their local admin rights. I've already thought of some ways to handle these issues, but I'd like to hear what some of you have done. We're running XP SP2/SP3 desktops on 2008 AD domains. The PCs are managed with SCCM 2007 SP1. Thanks, -Malcolm ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
