|
Home > Archive > Windows 2000 track general > October 2001 > here's a real world question
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
here's a real world question
|
|
| macaries 2001-10-11, 12:38 am |
| Should the guy who gets the computer on his desk be a member of the local administrators group, a power user or a user? Let's say it's Dilbert's windows 2000 computer, in a typical company that's concerned about network security. | |
| TW2001 2001-10-12, 6:15 pm |
| I thought the questions for the new MCSA certification wouldnt be out until next year.
Ive yet to review the new training kits...so I better hold off on answering this thought provoking and complicated question. | |
| macaries 2001-10-12, 6:40 pm |
| Some draconian and lazy IT directors are trying these days to "lock down" the desktop and Win2K gives them that capability better than any product before. Win2K also provides the user who is in the local administrator group incredible functionality and tools never before available. So would you put up with not being an administrator of your own computer at work? For the sake of quick and dirty security? It's a simple question but takes balls to answer or even to ask your self. | |
| TW2001 2001-10-13, 3:23 am |
| Are you kidding me?
Configuring security is being lazy and draconian.If you ever get to be an Admin, the less bullsh*T end user hassles you can eliminate the better.
A person only gets what they need.Most certainly do not need have administrative privilages! Those are for the proffesionals!
Its not a game.Its about productivity and uptime.
You think about it. | |
|
| quote:
Originally posted by TW2001
A person only gets what they need.Most certainly do not need have administrative privilages! Those are for the proffesionals!
Its not a game.Its about productivity and uptime.
You think about it.
I totally agree with TW, end users should only get what they need to perform their job function. To me, it's a silly thing to open systems up security-wise unless job security is something you feel you need, and you really enjoy trouble shooting all of those wonderful problems your end users will do to their systems. Of course stating all along that they have no idea how that could have happened. Happy re-installing/re-imaging days ahead for you.
The less chance you give your end users to muck things up with their systems while allowing them to perform their job function, the more productive they will be and the less time you will have to waste fixing their screw up's.
It's not be "draconion" or "lazy", it's called being realistic and practical in a corporate environment.
Can you give a business justification as to why you would want to give an end user administrator rights on their workstation?
Is there some application that requires you to have administrator rights to operate properly? I doubt it. | |
| macaries 2001-10-13, 10:24 am |
| Yes I can think of 2 reasons that an end user needs full control of his/her own machine: programming and certain database connectivity. I'm not saying that's all either: many scientists and financial professionals configure and install there own utilities. It seem's network administrator's who are lazy and without skill to configure firewalls , proxy servers, File servers and network monitoring tools would rely on locking down the desktop for the local user.
My users rely on desk top support not desk top control. Before I think about locking down a machine I work on securing access to the machine and user training. I don't think I'm alone on this point either.
I can beleive there would be a great deal of frustration on the part of a user who is not able to set file share & security on his own local files. | |
| chodan 2001-10-13, 12:03 pm |
| I`m not sure looking at it as an all or nothing situation has much merit either.
Some people should never ever get admin priveledges to the company restroom much less there workstations that doesn`t mean they can`t do their job with more limited permissions.
Others can be trusted with that kind of control
As Network Admins its up to us to decide who gets what by setting policy and adhearing to it.
As for letting users create shares.
Not a good idea.
If you got hit with Nimda then you know what undocumented shares can do to your network.
Chodan | |
|
| Macaries, have you ever worked supporting end users in a large corporate environment because your attitude towards security is more like someone who is either frustrated because they are one being "tied down" or you only support about 5-10 users in a small shop running a peer to peer network.
Granted, security level is dependent upon the environment in which you work in with respect to size, job functionality, network model (domain vs. workgroup), and other factors as well. When you are talking small peer to peer workgroup security that's an entirely different animal than large corporate domain-wide security structure and implmentation.
For a small group of programmers or engineers I can see having more access to their local system features, but they still do not need Administrators privledges to perform their job function. But then again remember, we are not talking about your average everyday end user drone either, so they can be viewed as a possible exception.
Database connectivity for the end user, don't see the reason. Can you explain further? I help administer/support over 2,600 users at our regional bank site, the users access SQL databases, Oracle databases, AS/400 midranges, Telnet sessions into Mainframes, etc.. and they do not have Administrator rights on their local machines. They are ordinary users, no cd rom drives in their systems, no icons on the desktop, no access to the run command, can't access their HD through explorer, basically forcing them to save their files/documents/etc to their network home drives.
If an end user has a file they need to share, why wouldn't you provide them with a common share drive on the network server that any user placed in the appropriate group would have rights to and they can access it that way. In addition, that file/directory would get backed up regularly during the normal backup of the network.
In your suggestion, if I have a file/directory on my local HD that I share and my HD decides to take a crap on me, I lose that file/directory. Maybe you don't mind re-creating things over again but I do, and please don't tell me how you would have all end users diligently backup their local HD's on a regular basis.
I could go on and on....
By the way, would you be so kind to educate me in how the ability to configure firewalls and proxy servers correlates to local end user security at the desktop. Also, what does ability to configure Network monitoring tools have to do with local security levels at the desktop?
"My users rely on desk top support not desk top control. Before I think about locking down a machine I work on securing access to the machine and user training. I don't think I'm alone on this point either."
Sorry, I don't agree, and I'm not alone on this point either. I've been involved with trying to implement that mindset before, it doesn't work. I believe you make the assumption that everyone will "play nice" together, and unfortunately that is simply not the case. The Internet was created under that premiss in the begining as well and I don't think you can say that everyone plays nice on the Internet.
And how do you handle the disgruntled end user, or end user who likes to mess around with their system? Scold them? Ask them to please not do that again? Fire them on the spot?
Oh heck, why am I even wasting my breath...
Yes, you are correct, I admit it, I have no skills (or skillz for u l33t h4x0r d00dz). I tie down workstations, I am lazy and I'm damn proud of it! Yesterday, I couldn't even spell computer, now I'm workin on 'em 
Looking forward to your reply. | |
| macaries 2001-10-13, 2:47 pm |
| If you got hit with nimda then you hadn't applied the current patches to your IIS servers and IE. And documented or not all your shares and mapped drives too provided a gateway to spread the virus though your LAN.. "locking down" the desktops would have done nothing to help in this situation.
I'm glad there is agreement that some users need full control of their desktops. I advocate that all users need full control of their desktops. If the corporation has trust to place a machine in the care of any user that as long as access is restricted to that user than he should be a member of his machines local administrators group. Remember this was essentially how it was with Win95/98. | |
| chodan 2001-10-13, 10:08 pm |
| My IIS servers didn`t get hit with Nimda.
"btw I`m switching to cobalt RAQ servers"
Nimda had/has 10 seperate methods for accessing a computer or network, open shares are just one way, undocumented open shares would make it "virtually" imposible to isolate and eradicate that particular worm.
Anyway calling people lazy for doing their jobs and being security minded shows me that you might not have experienced the joys of "end user chaos and mayhem".
My 2 cents | |
| TW2001 2001-10-14, 6:33 am |
| Windows 2000 provides that administrator far more granular control over a users environment than any Windoze OS to date.Through GP and administrative templates enough access can be given without sacrficing security and stability.The thread starter is comparing many different aspect of Network Administration that are very different.(Proxy,Firewall : local admin rights)
We did the same things in NT with policies.
Win95/98 = no security!
Where are you coming from? | |
| macaries 2001-10-14, 10:35 am |
| CHODAN I have read your posts in another thread (General "Hackers watch out")where you graciously discussed your unfortunate hit with NIMDA I am truly sorry for any inferance you might have felt by my "lazy" comments. I have no doubt that you were as busy, perhaps more busy than I was trying to isolate patch and clean for that insidious virus.
TW I work with a great number of professionals and they benifit from the access they have to their local machine. This is done by including them in the administrator group on the local machine. None of this was neccessary or even discused in the days of win95/98. I understand you and others are in different situations where you perceive a risk of data being lost or stolen from the local workstation. | |
| TW2001 2001-10-14, 12:10 pm |
| "TW I work with a great number of professionals and they benifit from the access they have to their local machine. This is done by including them in the administrator group on the local machine."
Can you give any examples? What exactly do they do to need those rights?
Your reasoning...
"If the corporation has trust to place a machine in the care of any user that as long as access is restricted to that user than he should be a member of his machines local administrators group."
What are you comparing in the days of Win98/95? What power user apps get run (locally) on those systems?
Have you ever been involved in something other than the peer to peer simplicity you are descrbing? Even then I would definately be using administrative tools at my disposal. | |
| macaries 2001-10-14, 3:13 pm |
| TW have you ever had the pleasure to "lock down" a Linux workstation? How is this done? When will you be finished your computer science degree? | |
|
| quote:
Originally posted by macaries
....he should be a member of his machines local administrators group. Remember this was essentially how it was with Win95/98.
Not entirely true but to a degree maybe if you are comparing to NT or 2000. You see there's a nifty little tool called poledit located in the ADMIN\APPTOOLS\POLEDIT directory on the Windows 95 compact disc that allows you to "tie down" the Win95 client system as well. We ran this setup a few years ago with Win95 clients in a mixed Novell/NT shop. It worked very well. No desktop icons, remove the run command, remove Explorer, disable access to selected Control Panel icons, etc... The only thing you couldn't do was remove the Find command, so a savvy end user could use Find to locate explorer.exe and access his local HD that way. Of course, most mid-size to larger corporations have policies prohibiting installation of software by end users on their systems and saving documents,etc.. to their local HD's. They usually will implement some kind of information gathering software like NetCensus to keep tabs on the end users systems. This is helpful to keep track of licensing information as well.
Macaries, I can appreciate your views, but basing an IT security policy on trust in one's co-workers is not the best way to approach things (IMHO).
As I said before, you should never give end users more authority over their machines than is necessary for them to accomplish their job function. I can't make it any plainer than that, and I think you will find this mindset more prevelant in the industry than the placing trust in everyone to "play nice" together approach. Again, if that was the case and people did "play nice" we wouldn't have the problems that exist today with the Internet.
Just my 2 cents. Good luck to you and Take Care. | |
| 2beCCIE 2001-10-15, 6:46 am |
| I have worked in user type support for a long while. The less Joe the user has the ability to "play" then the less calls you get. Period. Because the user will download and install every free piece of software on the net. This includes everything from 47 different kinds of screen savers and wall papers to java games killing Osama. Then they call and complain because their system is slow and locks up. Lock them down to only what they need to do business related functions. Or chase your tail until you burn out. Your call!!
Just one man's opinion!!! | |
| macaries 2001-10-15, 6:28 pm |
| Thanks for your reply 2BeCCIE I think I would get tired of fixing screen savers too.
However I have been disappointed with the general response here. I wanted people to focus on the functionality and enhancements that Win2k offers the engineer or scientist type user if it's not locked down. You know advanced users. Not "drones", "screw ups" or "disgruntled workers" just Dilbert. Nearly every user can become an advanced user too with some user training. There is more reward than risk in having a user in full control of the machine on his desk not the network or any other machine just the one on his desk.
I was pleased today to read in Network Magazine this: in an article on Security by Complexity by Rik Farrow..
"Microsoft's designers have done their best to create reasonable defaults without sacrificing too much security, and the average home user may be able to live with these defaults. The fascist network administrator will love Windows XP for the control it provides over desktop-it even blocks execution of certain applications. And security lovers will appreciate the enhanced authentication available with the support for smartcards."
OK so it's about XP but it points out the devide in thinking from the fascist looking for control and the security minded using the smartcard for restricting access.
I'm not saying if you vote "user" then you're a fascist but if you're liberal thinking like I am vote "administrator" on the local machine.
Cheers & here's a link http://www.networkmagazine.com | |
| chodan 2001-10-15, 7:38 pm |
| THe network I help manage doesn`t have scientist`s and the only engineer level people work in the administrative staff with me so I should say that I woldn`t be able to say for certain haw I would react.
I would probably start out very restrictive and work my way out depending on the skill level of the individual,that is if I have time, some people have several hundred to several thousand hosts in their networks so individuals can`t be evaluated.
If a group "of developers engineers or scientist`s" was large enough you could place them in their own subnet and in an OU with more permissions and possibly their own tech support person / administrator.
How bout that? | |
| macaries 2001-10-15, 8:01 pm |
| sounds good CHODAN.. When we (where I work) get our native Windows2000 domain I will definately take advantage of the OU structure. | |
|
| Your original post stated this: "Should the guy who gets the computer on his desk be a member of the local administrators group, a power user or a user? Let's say it's Dilbert's windows 2000 computer, in a typical company that's concerned about network security.
Now your last post states this: "There is more reward than risk in having a user in full control of the machine on his desk not the network or any other machine just the one on his desk.
You post an initial question, members with experience in the field post their replies based on your initial post.
You then post comments of IT administrators being "draconian", "lazy", and lacking of "skills" because they would, in a network environment, choose to tie down the workstations only giving users what is necessary to perform their daily job function. You then state how you are disappointed when the majority of responses do not fall in line with your mindset of trusting users who are professionals and granting them local administrator rights on their machines (remember we are still talking about the network security issue you raised in your original post). In the end, you correlate IT security methodology with political ideology (oh ya, politics and trust go hand in hand right?) and state that we are now only talking about security levels on individual machines not attached to a network.
So are you talking about network security or individual desktop security of a workstation not attached to a network?
You are talking about two entirely different animals. I'll give you local administrator rights on your PC if you are isolated from the network. I attach you to the network, I tie you down via GPO's and utilize the granular security controls of Windows 2000 at my disposal allowing you to perform you job function all the while not granting local administrator rights on your system. Power User would work just fine for you professional engineer/scientist types.
Guess what, your single Power User vote was from me (I did take into consideration your views and the IT level of the professionals you've been reffering too). So what does that make me? A Conservative?
Since you seem to be a dilbert fan, I leave you with this. About 4 years ago there was a dilbert strip that came out, it had to do with troubleshooting a computer problem. Long story short, the problem was classified in the strip as a "PEBCAK" error.
"PEBCAK" stands for Problem Exists Between Chair And Keyboard.
Cheers. | |
| TW2001 2001-10-16, 12:16 pm |
| We have things called standards.These allow sysadmins to create templates/profiles based on specific user needs.
"Nearly every user can become an advanced user too with some user training. There is more reward than risk in having a user in full control of the machine on his desk not the network or any other machine just the one on his desk."
Thats laughable.
I work in an environment with many different needs.We look at these needs and deploy solutions based upon maximum productivity,efficiency and security.None of these entail giving away complete control of a system.
Can you give a specific example of what you mean?
XP as far as desktop control is guess what "THE SAME AS 2K".You really need to work with these products to understand how to use them.We have mentioned what sysadmins do to control our environment.
Nearly every user can become an advanced user with a little training.....yep and you can become a system administrator in 10 weeks too.
Im not sure what my degree progress will show you here.Linux and Windows are two very different worlds.Maybe another time.
Good luck.
Trust people who do this.Listen learn...you may just end up joining us | |
| macaries 2001-10-16, 12:58 pm |
| Spid you are a powerful debater and there is nothing wrong with being conservative.
Yet am I to understand that you took my reference to Dilbert being a member of local administrator group to be Dilbert domain administrator?
No my message has been consistant Dilbert should have local administrator rights to his machine just as Dextor from Dextor's Labratory should. TW I'm afraid I would have to lock him down... | |
|
| Spid you are a powerful debater and there is nothing wrong with being conservative.
Yet am I to understand that you took my reference to Dilbert being a member of local administrator group to be Dilbert domain administrator?
No, I understood where you were coming from.
No my message has been consistant Dilbert should have local administrator rights to his machine just as Dextor from Dextor's Labratory should.
I would only consider it in a small workgroup environment isolated from the main corporate domain network and I'd still go with local Power Users group membership first.
If I attach that workgroup to the main domain network, then we've got a whole different story we've got to talk about (IMHO)
Anyhow, great debate! There really should be more of these type threads in this forum to get people thinking about real world situations. It's alot more interesting/fun talking about these issues as opposed to all the "I passed" and "anyone know of a good braindump/study aide for this test" posts that have been popping up on the board lately. Not that there is anything wrong with the "I passed" posts at all, it's just good to get the old brain working on technical discussions from time to time  | |
| chodan 2001-10-16, 2:20 pm |
| He might have meant a "master debater"
hehe | |
| Cobby 2001-10-16, 11:47 pm |
| Hey I always go with the rule of thumb "make it as secure as you can and back it off to suite the users individual needs".
Saves a lot of hassles than the reverse.
Best Regards -Jay |
|
|
|
|