Grant or deny?
Filed Under (Uncategorized) by Dave Mast on May-16-2008

Local admin privileges — to reinstate or keep locked away?

This has been on my mind a lot lately, mainly because I’ve been thinking about ways to better serve our users at NPCC and make things easier for them.  I know the local admin discussion is not a new one by any stretch, and you can also approach it from either side of the fence.  It really comes down to what you determine to be "acceptable risk."

This is what I’m kicking around in my head right now — what if I made each user a local admin for their respective machine?  Currently, only laptop users and one, maybe two desktop users have local admin rights to their machine. 

The advantages of giving back local admin?
1. Users can install software without having to ask me or wait on me to arrive on the scene.
2. Users can update programs on their own (Yeah I’m talking about you, iTunes) without my approval.
3. Those flash drives that require an extra piece of software before they mount (which I hate) can be used without my being on the scene.  In addition, the end-user can be walked through the process of reassigning drive letters if their flash drive somehow manages to interfere with our standard drive mappings. (boo)
4. Users can install fonts on their own without having to ask me.
5. If a user is done with a program and no longer needs it, they can uninstall it on their own without my help.

Now, the disadvantages and dangers of putting local admin back in the users’ hands?
1. Users can install software without having to ask, regardless of whether this software is legit or not.
2. To guard against the above, I will need to implement a monitoring solution that tracks software installation.  Spiceworks might be a good place to start with that.
3. I’m going to have to create a list of software that it supported by NewPointe IT; I don’t have the resources to support every piece of software that gets installed on a machine.  What happens then, when a user installed "unsupported" software and it wrecks their system?  That will need to be spelled out as well.
4. Any process that runs while the user is logged in will run with local admin privs.  Again, machine monitoring and logging will be a must.

I haven’t made a decision on this yet, but I’m very interested to hear anyone’s argument for or against users running with local admin.  What are you doing in your organization, and what factors led you to that decision?

   Read More


Comments
Dean Lisenby on May 17th, 2008 at 7:28 am #

Glad to hear you are at LEAST considering it. I won’t persuade you either way.

Cisco on May 17th, 2008 at 8:03 am #

We have a little over 150 computers and 17 Servers. We currently have an AD security group called “LocalAdmins”. We have added this security group to each computer as an administrator to that computer. Then, we add users to that group as needed. Currently, all of our domain users accounts (employees) are members of the LocalAdmins group, and none of our volunteer accounts are members of the LocalAdmins group.

This is working well for us. We recently installed SpiceWorks on it’s own Virtual Server. It’s working great. I run a network scan twice a day, 11:00am and 11:00pm. This allows us to see any hardware/software that is installed on the network. It also allows us to see all the software that is installed on the network and if we notice anything that is not supposed to be installed, we can address the user/computer. If you need to remove someone as a local admin, simply remove them from the LocalAdmins group and have them log off and back on.

The downside is the risk associated with a user opening a virus, or going to a website with a virus, and then it will be run with local admin privileges, as you said. We have several layers of defense against this.

In our case, this senero has worked well for us.

Hope this helps as you ponder what will be best for your network! :)

Cisco

Grant Hutchins on May 18th, 2008 at 2:54 am #

Hi, I’m Grant, one of the developers at Spiceworks. I found this post through a Google Alert on the word “Spiceworks” and I figured that this might help you with your software monitoring: http://community.spiceworks.com/help/Tracking_Software_License_Compliance

Thanks for using Spiceworks, and thanks for the kind words!

Post a comment
Name: 
Email: 
URL: 
Comments: 

FireStats iconPowered by FireStats