none
Local administrator rights- best practice

    General discussion

  • In the IT departement where I work we have a quite heavy discussion going on around local administrator rights. The question is weather the people in the IT-department should have local admin. rights on their accounts, or wether they should have a log off / log on procedure whenever they would need local admin. rights to perform a specific task.

    The ones most concerned about security state that the risk of users having local admin rights is to big, and that this risk is so big that we cannot even trust  people in the IT-departement enough to let them have local admin rights. On the other side, the other half is arguing that it would make it almost impossible for them to do their job, if they have to log off and log in again every time they would need local admin. rights. 

    Both sides also argues that their opinion is according to best practice, and what everyone elso do.  Its up to me to make the discussion, but since I do not have that broad experience, I would be very interested in information on what other companies do. 

    Thursday, August 05, 2010 7:36 PM

All replies

  • Buster,

    First of all - you need to understand that there is a difference between "Local Admin" and "Domain Admin".  A person who is the administrator of just their own computer is seen by some as a security risk (though I will tell you that many companies are allowling local administrative rights; before because of XP's limitations for non-admins, but increasingly now because Windows 7 is such a solid and secure platform.  Even when you're an administrator, you're not really an administrator until you need to do something administrative.) 

    The question you pose (and maybe this is what you mean) might also be: Should my people regularly log-in with accounts that are members of the Domain Admins (or some other administratively enabled) security group?  And there are two answers to this (as you've already learned).

    1. Absolultely not.  They should log-in with a special account to a server or a client (or running MMC in the context of a different user) for the sake of doing anything administrative. 

    2. Sure.  Go ahead.  In this situation, you've got A) a lot of trust in your people, and B) PROPER AUDITING AND CHANGE CONTROL IN PLACE TO SEE WHO IT IS THAT MADE A CHANGE, AS WELL AS THE ABILITY TO ROLL CHANGES BACK.  With proper auditing, you will always be able to track who made what change, rather than sharing a common shared admin account that they all know (and that might be shared with others.  They're less likely to share it if it's their own account!)  And a good change-control system means that changes can be rolled back.

    I'm curious to see: What are the rest of you doing with this?  And what tools (if any) are you using to assist with good change management in an Active Directory environment?

    Thanks for the great question,

    -Kevin

    PS: Loved your movies.  Where have you been? :)


    Kevin Remde US IT Evangelism - Microsoft Corporation http://blogs.technet.com/kevinremde
    Thursday, August 05, 2010 11:49 PM
    Owner
  • Hi Kevin, thanks for your reply. Indeed, I am not a technician, and not familiar with all the different tools and methods out there. However I am aware of the distinction between Local admin and Domain admin. It was probably a bit unclear but the question was actually related to Local admin right. Let me try to explain the situation a bit more:

     

    In the last 6 months we have done two changes related user accounts rights:

    1. End users have lost their Local admin rights,

    2 IT-staff have been given individual user accounts with domain admin rights. These account are to be used whenever they need to logon to the servers or the clients of other users to do administrative things. 

    3 IT-staff have their regular user accounts still with Local admin right for their client.

     

    The heated debate is now wether we also should find solutions that disables the Local admin rights from the IT-staff user accounts or not. The one side that is in favour of removing the rights argue that people cannot be trusted, and even if they could, it is still a major security risk to the whole domain. In addition they will claim that it is rarely necessary to have these rights to be able to perform the daily tasks.

     

    The other side argues that this will hinder them in doing their job. They say they often need to have local admin rights to perform their jobs, and the examples they give is software installations, test software updates, bypassing the proxy for different reasons etc. 

     

    Since I do not have the technical background I am not able to make a qualified decision on this matter, and thats why I would like to have the experience of others. I might also ad that we are a small team, and we are not able to distinguish rights based on responsibilty.  

     

    Nice to hear we are sharing interest in Busters films! 

     

    Regards "Buster"

    Friday, August 06, 2010 5:30 PM
  • Personally, my opinion is that you let EVERYONE have local admin rights on their workstations (provided you have solid AV and monitoring in place, as well as a good re-image deployment solution in case you need to re-build computers in a pinch), but of course you know your organization better than I do. 

    For your IT people, I'd say you allow them local admin rights.  Sure, they may get themselves into trouble on their own systems, but that risk is (in my opinion) worth it if they are able to do more learning and testing, which results in better, more informed professionals. 

    Again, I'd love to know what other readers of and contributors to this forum think.  What should "Buster" do here?

    Kevin


    Kevin Remde US IT Evangelism - Microsoft Corporation http://blogs.technet.com/kevinremde
    Friday, August 06, 2010 5:35 PM
    Owner
  • Funny, my opinion is the opposite. No one (not even admins)should have local admin rights other than under specific circumstances. An example is a program that has to be installed under the account that will use it and doesn't support client/server.

    Our domain is locked down and the GPO will not allow any domain member (other than admins) to install anything. Our firewall software on workstations will not allow any new programs to run without IT first adding it to the exceptions list (we use Sophos End Point Security).

    It's a mix of not trusting the average end user and not having the resources to fix or re-image every time someone messes up the computer. We depend on knowing what is on any given computer to allow just 2 of us to support 100+ users.
     Regards,
    Hank Arnold
    Microsoft MVP
    Windows Server - Directory Services
    http://it.toolbox.com/blogs/personal-pc-assistant/

    On 8/6/2010 1:35 PM, Kevin Remde [MSFT] wrote:

    Personally, my opinion is that you let EVERYONE have local admin rights on their workstations (provided you have solid AV and monitoring in place, as well as a good re-image deployment solution in case you need to re-build computers in a pinch), but of course you know your organization better than I do.

    For your IT people, I'd say you allow them local admin rights.  Sure, they may get themselves into trouble on their own systems, but that risk is (in my opinion) worth it if they are able to do more learning and testing, which results in better, more informed professionals.

    Again, I'd love to know what other readers of and contributors to this forum think.  What should "Buster" do here?

    Kevin


    Regards, Hank Arnold (MVP - DS)
    Monday, August 09, 2010 8:35 AM
  • The one thing no IT guy should be doing is to log-on as a Domain Admin at an untrusted desktop. Such logons should only be used at server consoles, or on IT-department desktops. Reason is that doing so allows any malware on the desktop unrestricted control over every server in the domain. Alarmingly, this is an extremely common practice, and is even sometimes done when investigating possible malware incidents.

    As for local admin rights, the key issue with trying to install software without is that each change of logon (or use of RunAs) defaults all of the software's settings, making testing of the software a truly aggravating -and sometimes near impossible- process.

    An alternative to limited-user working which we're looking-at is the use of software restriction policies. Advantage is that these can be activated or deactivated without the need to close all apps, and without causing the reversion of software settings to defaults.

     

    Wednesday, August 11, 2010 12:36 PM
  • VERY good points, Anteaus.  And on XP that is a big problem.

    Better news is that on Windows Vista and now Windows 7 you're not running as an admin, even when you're logged in as an admin.

    "Huh?"

    I'll say it again.  On Windows Vista and now Windows 7 you're not running as an admin, even when you're logged in as an admin.  That's one of the main things User Account Control (UAC) is all about.  It's why you're prompted to verify "are you sure you meant to do this" even when you're an administrator.  If something malicious or programatic is attempting to do something it shouldn't. you are asked about it. 

    It's not foolproof.  If you (like so many) have been trained to just click OK or whatever it looks like will get you past any notification quickly, you can allow some bad things to happen.  So you have to make sure you read every unexpected dialog box or UAC prompt asking for permission. 

    Another foolish move is to disable UAC notifications and to allow the elevation to happen automatically.  Just don't do it, people.

    -Kevin


    Kevin Remde US IT Evangelism - Microsoft Corporation http://blogs.technet.com/kevinremde
    Wednesday, August 11, 2010 1:00 PM
    Owner
  • The hidden main question is :

    "Trust and control" or "Distrust and prohibition" ?

    My point of view reaches Kevin's one :

    "That risk [Trust and control] is  worth it if they are able to do more learning and testing, which results in better, more informed professionals."

    • Edited by sgfddtgb Friday, October 26, 2012 2:27 PM
    Friday, October 26, 2012 2:23 PM
  • If you are refering to IT guys they should have different account for Admin purpose and for normal user purpose ,you will also need to get your

    I.T Governance together I will also suggest that you let them sign Non discloser agreement (NDA) ,arrange for the enviroment maybe once a year to be audited by and external company (there are also tool like sekchek that can give you brief detail of your security and other importand staff break down)


    • Edited by kykxs Tuesday, February 19, 2013 8:37 AM
    Tuesday, February 19, 2013 8:36 AM