| Author | Messages | |
omar
Posts:97
 | | 01/14/2010 8:20 PM |
| 1. What comes first, the chicken or the egg?
2. Can members of the local administrators group be restricted from installing new applications?
The 1st question I already know the answer- the chicken of course- unless something else layed the 1st egg.
But the 2nd question leaves me scratching my head because this I believe is still most difficult to implement.
What I know is that I can block Windows Installer and active X installations and maybe even restrict access to add/remove programs or named executables like setup.exe and install.exe or even *.msi. I could even lock down permissions to create folders on the Root of C, program files, \windows, \windows\system32- but none of these are surefire methods.
Anyone know of a way to implement a quick fix to stop new installations without dumping user's local admin group membership?
I know that we can find the apps that need local admin- and grant the file/folder/registry/ local security rights to make the apps work and then remove the users group local admins but I need something I can do faster - to give us a breather to hunt down those apps and put the longer term fix in (removing from local admins) later.
Also- local admin-why you may ask? Bulk of users are remote/home office users running corporate notebooks- and they need to install printers/get on networks and such and client has very low IT staff incapable of support every change on a remote user's machine.
Any info would be most appreciated- thanks,
Omar Droubi
| | | |
| AndrewMcHale
Posts:0
| | 01/15/2010 10:13 AM |
| Hi Omar,
1a. Aligators/Crocodiles were laying eggs long before chickens came
about!
1b. If we are talking in particular about an egg containing a chicken,
then I still have to say the egg, as I believe the first creature to lay
an egg containing a chicken, was the predecessor to the chicken which
would have been very much like a chicken but not quite there.
2. BeyondTrust do a free product which lets you evaluate which programs
a user uses which require admin rights. If that evaluation is going to
take you too long then they do a (not free) product called Privilege
Manager which works a lot like UAC. It makes local admins a standard
user until they need admin rights, and then it asks them if they want to
proceed and elevates them to local admin for that one task, as well as
email the domain admins so you can see what people are asking admin
rights for so you can make a list/monitor.
It is priced on a 'per seat' basis and can be purchased per OU rather
than per domain, meaning if you can put all your users with local admin
rights in an OU then you can limit your spend.
Hope this helps
Andrew
From: Omar Droubi [mailto:xxxxxxxxxxxxxxxx]
Sent: 14 January 2010 20:19
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] The age old questions?
1. What comes first, the chicken or the egg?
2. Can members of the local administrators group be restricted
from installing new applications?
The 1st question I already know the answer- the chicken of course-
unless something else layed the 1st egg.
But the 2nd question leaves me scratching my head because this I believe
is still most difficult to implement.
What I know is that I can block Windows Installer and active X
installations and maybe even restrict access to add/remove programs or
named executables like setup.exe and install.exe or even *.msi. I could
even lock down permissions to create folders on the Root of C, program
files, \windows, \windows\system32- but none of these are surefire
methods.
Anyone know of a way to implement a quick fix to stop new installations
without dumping user's local admin group membership?
I know that we can find the apps that need local admin- and grant the
file/folder/registry/ local security rights to make the apps work and
then remove the users group local admins but I need something I can do
faster - to give us a breather to hunt down those apps and put the
longer term fix in (removing from local admins) later.
Also- local admin-why you may ask? Bulk of users are remote/home office
users running corporate notebooks- and they need to install printers/get
on networks and such and client has very low IT staff incapable of
support every change on a remote user's machine.
Any info would be most appreciated- thanks,
Omar Droubi
| | | |
| mpietrzak
Posts:28
| | 01/15/2010 3:20 PM |
|
Sorry, seeing this email late. If someone is interested in Beyond Trust, PLEASE, first look at Privelege Guard from Avecto. http://www.avecto.com/
The product is easier to use, has more features and was about half the price.
Michael
San Diego State University
-----Original Message-----
From: xxxxxxxxxxxxxxxx on behalf of Andrew McHale
Sent: Fri 1/15/2010 2:12 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] The age old questions?
Hi Omar,
1a. Aligators/Crocodiles were laying eggs long before chickens came
about!
1b. If we are talking in particular about an egg containing a chicken,
then I still have to say the egg, as I believe the first creature to lay
an egg containing a chicken, was the predecessor to the chicken which
would have been very much like a chicken but not quite there.
2. BeyondTrust do a free product which lets you evaluate which programs
a user uses which require admin rights. If that evaluation is going to
take you too long then they do a (not free) product called Privilege
Manager which works a lot like UAC. It makes local admins a standard
user until they need admin rights, and then it asks them if they want to
proceed and elevates them to local admin for that one task, as well as
email the domain admins so you can see what people are asking admin
rights for so you can make a list/monitor.
It is priced on a 'per seat' basis and can be purchased per OU rather
than per domain, meaning if you can put all your users with local admin
rights in an OU then you can limit your spend.
Hope this helps
Andrew
From: Omar Droubi [mailto:xxxxxxxxxxxxxxxx]
Sent: 14 January 2010 20:19
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] The age old questions?
1. What comes first, the chicken or the egg?
2. Can members of the local administrators group be restricted
from installing new applications?
The 1st question I already know the answer- the chicken of course-
unless something else layed the 1st egg.
But the 2nd question leaves me scratching my head because this I believe
is still most difficult to implement.
What I know is that I can block Windows Installer and active X
installations and maybe even restrict access to add/remove programs or
named executables like setup.exe and install.exe or even *.msi. I could
even lock down permissions to create folders on the Root of C, program
files, \windows, \windows\system32- but none of these are surefire
methods.
Anyone know of a way to implement a quick fix to stop new installations
without dumping user's local admin group membership?
I know that we can find the apps that need local admin- and grant the
file/folder/registry/ local security rights to make the apps work and
then remove the users group local admins but I need something I can do
faster - to give us a breather to hunt down those apps and put the
longer term fix in (removing from local admins) later.
Also- local admin-why you may ask? Bulk of users are remote/home office
users running corporate notebooks- and they need to install printers/get
on networks and such and client has very low IT staff incapable of
support every change on a remote user's machine.
Any info would be most appreciated- thanks,
Omar Droubi
| | | |
| omar
Posts:97
| | 01/15/2010 3:46 PM |
| Thanks Andrew that is very helpful.
omar
-----Original Message-----
From: Andrew McHale <xxxxxxxxxxxxxxxx>
Sent: Friday, January 15, 2010 2:12 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] The age old questions?
Hi Omar,
1a. Aligators/Crocodiles were laying eggs long before chickens came about!
1b. If we are talking in particular about an egg containing a chicken, then I still have to say the egg, as I believe the first creature to lay an egg containing a chicken, was the predecessor to the chicken which would have been very much like a chicken but not quite there.
2. BeyondTrust do a free product which lets you evaluate which programs a user uses which require admin rights. If that evaluation is going to take you too long then they do a (not free) product called Privilege Manager which works a lot like UAC. It makes local admins a standard user until they need admin rights, and then it asks them if they want to proceed and elevates them to local admin for that one task, as well as email the domain admins so you can see what people are asking admin rights for so you can make a list/monitor.
It is priced on a per seat basis and can be purchased per OU rather than per domain, meaning if you can put all your users with local admin rights in an OU then you can limit your spend.
Hope this helps
Andrew
From: Omar Droubi [mailto:xxxxxxxxxxxxxxxx]
Sent: 14 January 2010 20:19
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] The age old questions?
1. What comes first, the chicken or the egg?
2. Can members of the local administrators group be restricted from installing new applications?
The 1st question I already know the answer- the chicken of course- unless something else layed the 1st egg.
But the 2nd question leaves me scratching my head because this I believe is still most difficult to implement.
What I know is that I can block Windows Installer and active X installations and maybe even restrict access to add/remove programs or named executables like setup.exe and install.exe or even *.msi. I could even lock down permissions to create folders on the Root of C, program files, \windows, \windows\system32- but none of these are surefire methods.
Anyone know of a way to implement a quick fix to stop new installations without dumping users local admin group membership?
I know that we can find the apps that need local admin- and grant the file/folder/registry/ local security rights to make the apps work and then remove the users group local admins but I need something I can do faster to give us a breather to hunt down those apps and put the longer term fix in (removing from local admins) later.
Also- local admin-why you may ask? Bulk of users are remote/home office users running corporate notebooks- and they need to install printers/get on networks and such and client has very low IT staff incapable of support every change on a remote users machine.
Any info would be most appreciated- thanks,
Omar Droubi
| | | |
|
|