Thoroughly agree, and I'm finally convincing management to let us make this happen - though our software engineers are not yet aware of it. They'll probably end up on a firewalled subnet of their own, though, and can do what they want with it, as I'll wash my hands of that.
But, I'm down to two guys, and we've got a lot of work ahead of us to make this happen. Kurt On Tue, Sep 1, 2009 at 15:00, Ben Scott<[email protected]> wrote: > I'll chime in and agree that removing admin rights from regular > accounts is one of the best things you can do. The rest of the > computer world has been doing it for 50 years or so; it's high time > the Windows world joined in, too. > > We started doing this when we started migrating from Win9X to > 2000/XP. Best thing we ever did. The amount of trouble due to stupid > things has dropped dramatically. Users can't screw up their own > computers any more. We don't have "mystery software" -- no "so-and-so > used to work here and had this program and now we need it but don't > know where it is". No pollution of user PCs with crap from home or > the Internet. The virus/malware problem is hugely mitigated by this > alone. > > It's been some work, and it's often still a lot of work when we get > a new application in. Fortunately, when someone thinks to ask IT > before the sale, I can tell the vendor "fix your LUA bugs or we walk". > Even for a small company like this, that gets results. > > Someone mentioned "he's a senior admin and I can't really justify > not letting him have admin rights". I can't speak for the politics in > a particular company, but where I work, nobody has admin rights for > their regular account. Nobody. Not the owner, not the president, not > me. I'm the IT Manager and half the IT department, and my regular > user account has less access than a lot of other people. I know the > passwords to the admin accounts, of course, but my regular account is > a regular account. > > I strongly believe this should be the first tech improvement > priority in any IT organization that isn't already there. > > -- Ben > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
