Can this be stopped?

[MrGuvernment]

we have a router / firewall blah blah

one of our employee's who i just told dont f*** do this!! but i know he wont listen or will sneak behind my back and do it anyways.


we have a cisco 1700, we have a range of IP's, basically so he doesnt go through our cisco router, he simply assigns himself one of the outside IP's / subnet and everything. as if the cisco wasnt there and it works.......


Shouldnt the router stop this instead of simply letting the computer run past all security and onto the internet?

Anyone know how i can prevent this on the router side? so they HAVE to go through the router and us it's designated IP?

A domain controller and prxoxy are something i want to do, but right now time constraints wont let me so i need something i can do now router / network side to prevent him from doing this (i am trying to get the cisco gui working as this is all new to me)

He seemed clueless when it old him he now just opened our ENTIRE network to the internet and by default server 2003 doesnt have the firewall on! and just yesterday he had asked me for a NIC card, now i know why!

 

[Captain Colonoscopy]

So, you have a switch and a router and a range of public IP addresses? Is there no NAT setup on the router? Did he simply plug himself into the public switch with the second NIC? I guess I would need a little more idea of what your topology looks like before I could understand exactly what is going on and how to prevent him/her from doing what you are talking about.

 

[archivalbackup]

You should (for many reasons) block your external WAN address as a source address on your LAN, and vice versa (block all the private IP ranges as a source address on your WAN side).

I am a bit confused as to how your router is setup, if you have an external firewall, DMZ or whats going on, but you can do something like this:

where 1.1.1.1 is your external network address:

access-list 101 deny 1.1.1.1 0.0.0.24 (wildcard mask!) any

where s0/0/0 is your WAN interface
int s0/0/0
ip access-group 101 in

Personally I think you should null route the guy (if you dont use the external address for other things)
(config)# ip route 1.1.1.1 255.255.255.255 null 0

You really need to check your NAT settings on your router though ... if properly setup, your problem shouldn't happen.

Read this article first: https://www2.sans.org/reading_room/...1.php?portal=08d51b2ab4d845401a108e18006ed526

It is late in the day and I may have done that above access-group backwards. Head hurt, time to go home.

 

[shade_star]

If he assigns himself something outside the range he can definately still make it work.
All DHCP does it give the computer an IP address, default gateway, subnet mask and DNS servers...Automatically.
He can do this manually and it will still work. He isnt bypassing the router because when the data goes out to the internet it has to go through the router, that's the purpose of the router.
Now can you set up rules in the firewall to prevent this, maybe. Is there a need, not really he is doing more work for himself and spending time do stupid crap then working. In this case I would let his boss know he is spending valuable time playing with the damn pc.
Or you could always lock his account in Active Directory until he decides to play nice.

 

[TopGun]

You could always lock his account in Active Directory until he decides to play nice.

mmm being kicked in the balls digitally.

 

[fri2219]

As others have said, the lowest effort solution is to not route (or drop packets for) connections initiated on the inside with outside source addresses, which is probably a good practice anyway.

You obviously aren't going to be able to educate this idiot, but you do need to cover your ass politically here:

1) Document your communication to him on dated, duplicated, company stationery.
2) In that document, explain the consequences of his actions
3) Retain that communication. When the day comes when your internal network is compromised, you'll still have a job, which is more than the idiot will be able to say.
4) Start sealing up the internal networks, and document that too.

 

[Qualm]

we have a router / firewall blah blah

we have a cisco 1700, we have a range of IP's, basically so he doesnt go through our cisco router, he simply assigns himself one of the outside IP's / subnet and everything. as if the cisco wasnt there and it works.......

If external IP addresses are functionally available to machines plugged into an internal switch, you (or your company) have completely and utterly flunked basic networking security. I shudder to think what your firewall config looks like.

Routers and firewalls are gateway/perimeter devices. You need to set them up with that basic networking principle in mind.

 

[MrGuvernment]

Sorry for lack of details, but some awsome info!

it is

T1 line----> modem / csu thingy -----> cisco 1700 ----> switch -----> out to systems


he is just using the external info for another IP we have, and the cisco is letting him get out.

so from that and what someone else said i need to :

add a rule on the internal interface that prevents all traffic unless its in a specified range.


that range only being our internal assigned IP's 10.*.* range, this will block any other IP, and this prevent a direct external info being used


now to figure out how to get the cisco system management software downloaded cause apparently this 1701 has it built in and crap!


So much to learn, response much appreciated and are helping me in getting this all sorted out!


The person who was first in charge of the router, didnt know much, and the person who recently was fired, didnt know much either but claimed too, but iguess obviously didnt if they didnt bother doing this, it is only a t1 so not like they can use massive bandwidth for downloading or something!


CEO knows about this, i have been with the company 7 years, and he knows what i am doing and is in total agreement and says i can do what ever it takes and as soon as i can get a use policy in place and he will enforce it as he has often caught people slacking off, this is a pretty laid back company and our new office will only be 4 people, but it still gets abused and the bandwidth will be needed as we host more external reporting for people.

If external IP addresses are functionally available to machines plugged into an internal switch, you (or your company) have completely and utterly flunked basic networking security. I shudder to think what your firewall config looks like.

Routers and firewalls are gateway/perimeter devices. You need to set them up with that basic networking principle in mind

I agree, completly, why i am trying to correct this all A.S.A.P, this is basic things i think about, why i am here now - i had told our former 2 guys about this little issue and they just never bothered to fix it (cause they didnt know how but would never admit it of course, now they wonder why they are gone)

 

[Eulogy]

I'm sorry, but when you refer to it as a "modem / CSU thingy", I being to doubt the level of understanding of basic networking and security.

I don't think any of your equipment is at fault here. In fact, it more or less sounds like it's working how it was (mis-)designed to.

I think to prevent this easily is to make the host get all network info from DHCP, then in AD/Group Policy/login script (lock it down however you want), restrict users from changing their IPs.

Just my $0.02

 

[YeOldeStonecat]

I think to prevent this easily is to make the host get all network info from DHCP, then in AD/Group Policy/login script (lock it down however you want), restrict users from changing their IPs.

Yup...take away his keys to the car. An example of an end user who knows enough about PCs to be dangerous. Change local admin password of the PCs to something end users do not know. Don't let their domain account be a member of the local admin group. And drive down the inability to dork with major PC settings (such as network settings) through GP.

 

[Jay_2]

why isn't this simply locked down in AD? Its locked down by default in any Domain using 2000 server and above.

 

[shade_star]

why isn't this simply locked down in AD? Its locked down by default in any Domain using 2000 server and above.

No its not.
Users have the ability to change their IP's to static at will. Of course this behavior can be changed. But IMo there is no reason to what if an issue arises where they need to change it manually? For testing?
He is still going through your router like I said earlier though all he is doing is wasting more time manually changing his info.
Its no different than DHCP sending him a different IP.
If you are going to lock it down make sure you do the right range. You will need to do the entire subnet(s)

 

[Wolf-R1]

Why has no one pointed out that this jerk is obviously in the administrative group? He is able to change his own IP address. Why not reduce his administrative rights then go alter your router? Force him into the DHCP range, change any local machine administrator accounts, and access list the Cisco box to restrict based on your criteria.

 

[shade_star]

In a real life environment you almost have to put the domain users group in the local admin group on the local computer. It causes to much administrative hassle not to. Having them try to load software and get access denied or go into the c drive and get access denied or uninstall programs.
Its not feasible for an IT department to not make them members of the local admin group at least if the IT department is triving for efficiency.
Which is why you need to be smarter and lock them out at a higher level like an ACL rule or something of that nature

 

[Eulogy]

In a real life environment you almost have to put the domain users group in the local admin group on the local computer. It causes to much administrative hassle not to. Having them try to load software and get access denied or go into the c drive and get access denied or uninstall programs.
Its not feasible for an IT department to not make them members of the local admin group at least if the IT department is triving for efficiency.
Which is why you need to be smarter and lock them out at a higher level like an ACL rule or something of that nature

Wrong, wrong and wrong.
You _NEVER_ put end users in the admin group. Never.
Group Policy was developed to address these needs. After all, if you're just going to make everyone an administrator, why even have AD or anything? Just let your users run rampant and install CRAP that they decide to download at work, since well, you probably have a bigger pipe at work than at home? Yeah, good call buddy! Glad I don't administer anything at your company. I can only imagine the mess there...

Have an admin group and put your HelpDesk/IT Admins into it, and no one else. Give those guys local admin priviledges. If someone needs software installed now, you get to see it and also decide if it's actually work related and will cause issues.
Have at least one end user group. I'm not sure what network drives you have mapped and such. But, giving people rights to certain areas is as simple as adding them to correct groups.

Also, it might be a good idea to have SMS running out there. See who else is doing what without you knowing. (I know, you said that you have 4 people? Still, what happens when that jumps to 400? Always plan ahead, and plan for the worst/biggest).

AD is where this one starts. ACLs wont buy you much of anything on the router, except headaches. They have their uses and their places, and this situation is not and good example of a place to use it.

Simple solution? Lock the user down from changing his IP.

Hard Solution? Go ahead and give ACLs a whirl. But, given that they're IP address based, I don't know how far that'll get you, since oh, right, he can change his IP address. BRILLIANT!

 

[Qualm]

AD is where this one starts. ACLs wont buy you much of anything on the router, except headaches. They have their uses and their places, and this situation is not and good example of a place to use it.

Simple solution? Lock the user down from changing his IP.

Hard Solution? Go ahead and give ACLs a whirl. But, given that they're IP address based, I don't know how far that'll get you, since oh, right, he can change his IP address. BRILLIANT!

That's the server and OS-centric approach, and personally I wouldn't do it that way. The fundamental security and network topology issue is that no "internal" machine should be able to successfully USE an "external" IP address to communicate, not that the user can or cannot change their IP.

Basic networking and security principles involving a router and/or a firewall implies - demands - an external interface and an internal interface, on different networks. Something is fundamentally wrong with the way their Cisco 1700 router is configured, and it is that which needs to be addressed to solve this problem.

 

[Eulogy]

That's the server and OS-centric approach, and personally I wouldn't do it that way. The fundamental security and network topology issue is that no "internal" machine should be able to successfully USE an "external" IP address to communicate, not that the user can or cannot change their IP.

Basic networking and security principles involving a router and/or a firewall implies - demands - an external interface and an internal interface, on different networks. Something is fundamentally wrong with the way their Cisco 1700 router is configured, and it is that which needs to be addressed to solve this problem.

The issue, is, that the user 1) knows and 2) is CHANGING his IP address to the companies other external IP address. The router acts then based off of that IP address. This sounds like the router is doing it's job as designed, based off of the other IP address.
That points more to that the router is doing it's job correctly, and that the end-user should not have access to this other IP address. Nothing more, IMO.
Taking a look at the routers config might be worth while, but I don't have a clue what you'd be looking for that would be "wrong" there.
ACL? Nope, shouldn't be that.
NAT? Nope, sounds like that's working fine if implemented (other users getting out to net fine?)
Basic IP addresses must be OK, since (I'm assuming more here) that other users are not getting IP conflict messages.

I don't know what else you're looking for here? Since it's a 1700, not knowing which model (1720? 1750? 1760?), it's hard to say even what IOS he'll be running, again presuming he's up to the latest his hardware will support.

If you want this solved in 5 minutes, take away his rights from changing his IP address.
If you want to spend two days on it, look to make the router (somehow) work to block his PC from obtaining and using the other IP.

Edit: question to you. How do you then propose that this user not be able to use this external address on his machine?

 

[TechieSooner]

now to figure out how to get the cisco system management software downloaded cause apparently this 1701 has it built in and crap

Just use Telnet.
I have (forget model # right now) a brand spanking new Cisco router... comes with a pretty nice GUI (not fan of command lines myself).
It works- however when you apply certain settings (like an ACL)- it is like it pulls all the old ones out, and then sticks the new ones in (which kills the connection). Telnet doesn't do this.
My suggestion is spend a little money and get a reference book. Pretty handy- has some scenarios, how to configure X, etc. Here it is at Amazon- probably find it cheaper somewhere else.

In a real life environment you almost have to put the domain users group in the local admin group on the local computer. It causes to much administrative hassle not to. Having them try to load software and get access denied or go into the c drive and get access denied or uninstall programs.
Its not feasible for an IT department to not make them members of the local admin group at least if the IT department is triving for efficiency.
Which is why you need to be smarter and lock them out at a higher level like an ACL rule or something of that nature

This is 100% correct.
As you said- HUGE administrative burden to babysit folks constantly. Most IT staff are busy enough as-is without needing to mess with this... I'm guessing it would increase workload by at least 40%. And I have never had any issues with someone having local Admin rights on their machine. Ever. As you mentioned- lock it out higher up- limits their workstation to pretty much a "standalone" mode.

They download a virus? Your AV you have installed *should* pick it up. Most of these are accidental.
They install crapware or other useless garbage? That's management's responsibility to monitor computer usage. Just like management monitors personal calls. IT can figure out what the user is doing- but management puts a stop to it. Unless in my case it is such a minor issue- I normally just check on this myself.
I personally make unannounced (when the user is gone) checkups on PCs. Run through and see what apps are installed.
Issue a warning for the "free screensaver" crap (not to download it), and they comply.

After all, if you're just going to make everyone an administrator, why even have AD or anything?

I'm guessing you don't have a ton of experience with Windows networking the way you throw the word "Administrator" around.

Being the Local Administrator and the domain's Administrator are two different things.
Local Administrators can work with their local machine. Change IP address, install programs, etc. They can't screw with someone else's machine.

"The" Administrator account in the domain has complete power over everything. Active Directory, Group Policy, and every single machine in the domain. This account has limitless power. Therein lies the huge difference.

Your suggestions would be correct- if it applied to the domain's Administrator. Nobody needs those rights, not even the IT person (use the Administrator account only when needed).

What foul does giving someone Local Administrator rights play? All I have found it does is increase Administrative burden, much more than preventing any problems.

ACLs wont buy you much of anything on the router, except headaches.

That's a pile of crap, right there.
You could solve this issue from the router alone- and guarantee it from happening on ANY machine- not just those joined to the domain... if you were to stop it at the router.

That points more to that the router is doing it's job correctly, and that the end-user should not have access to this other IP address.

So... how would you restrict access to this IP address then, if that is the issue?

Your solution is just restricting the ability to CHANGE it- not actually fix the problem at hand!

Once more- stopping it at the router is the only "true" way to stop it. Routers don't give a crap what machine with what policy in what domain is applied. They just stop it.




OP- What I would suggest is one of two things.
A) Stop that particular IP address.
B) Only allow traffic that is assigned by DHCP.

If you just own a couple of public IP addresses- A may be the most simple solution. Just specifically deny that IP address.
However if you want to kick it once and for all- just allow hosts on the subnet your DHCP is assigning.
If it is 10.10.10.X pool, only allow those IP addresses to get through the router.

 

[MrGuvernment]

why isn't this simply locked down in AD? Its locked down by default in any Domain using 2000 server and above.

We arent running a DC in the office, something we have never needed, but now something i am looking into more, to make my life easier.

 

[MrGuvernment]

Basic networking and security principles involving a router and/or a firewall implies - demands - an external interface and an internal interface, on different networks. Something is fundamentally wrong with the way their Cisco 1700 router is configured, and it is that which needs to be addressed to solve this problem.

that is what i am aiming too do to start, from there will come the AD /DC and go from there.

T1's and basic network's, for me at least is common sense thing, i may not know the exact terms for T1 hardware, but i do know what should be done to keep a network secure, just never implemented it, or when suggested just ignored, but now that i have control of it, i get to do this properly, they way it should be done.


All the info in this thread is AWSOME! i never expected this many responses, i do have ALOT to learn and i am sure my "basic networking knowledge" is probably less then that compared to many of you, but over the next weeks, hopefully that shall be changing.

 

[MrGuvernment]

router is spitting out DHCP for the network
NAT does work, we have external site that connect and no internal conflicts for IP's


So, MrG's homework:

1. Buy cisco books from amazon
2. only allow 10.* range via router
3. Buy AD/DC books from amazon
4. finally implement a AD/DC to also account for futuer growth and use further permissions and rules to further secure network



What did i miss?

 

[YeOldeStonecat]

Why has no one pointed out that this jerk is obviously in the administrative group

Uhm...I did above....you're rushing to post your thoughts without seeing if they've already been posted by others.
"Don't let their domain account be a member of the local admin group"

 

[Eulogy]

OP- What I would suggest is one of two things.
A) Stop that particular IP address.
B) Only allow traffic that is assigned by DHCP.

If you just own a couple of public IP addresses- A may be the most simple solution. Just specifically deny that IP address.
However if you want to kick it once and for all- just allow hosts on the subnet your DHCP is assigning.
If it is 10.10.10.X pool, only allow those IP addresses to get through the router.

So you want to tell the router to not allow any outbound traffic from that IP then, right?
To do that, the only thing I can imagine that you'd touch with that is an ACL, applied as an outbound ACL on the routers interface.
Though again, I don't see excatly how that's going to work.
You could try "access-list 101 deny ip host <source> any"
where <source> is the external IP address? Been a long while since I had to think about ACLs, I think I have the syntax correct. However, then you block ALL users on ALL stations/servers from using that IP address.

Other than an ACL, this lowly CCNA doesn't know how else to do it. Of course, other than taking away his ability to change it in the first place...

By the way, Mr. G., don't buy into Cisco's SDM (the GUI interface). It's quite frankly, a giant POS. I've given it a go probably about a half dozen times, and even bought a book specifically for the SDM, and it has some pretty serious limits.
Learning all the CLI commands is the surest way to go, espeically when (if) you're trying to grasp the concepts.

 

[Jay_2]

Sorry I have become confused here.

so....

you have no Domain Controller

what is you DHCP server?

Are these systems always going to be in your place of work, they are not laptops people take home etc?

 

[TechieSooner]

you have no Domain Controller

what is you DHCP server?

Read:

router is spitting out DHCP for the network

1. Buy cisco books from amazon
2. only allow 10.* range via router
3. Buy AD/DC books from amazon
4. finally implement a AD/DC to also account for futuer growth and use further permissions and rules to further secure network

#4 may not be a huge need- just depends if you see your company have growth (As my rule- any more than 10 computers- you should start looking at a DC).

Spend some time learning command line on the router.
Be sure to backup the configuration before you start tinkering.
Tinker when folks are gone... if you screw it up, just reboot the router (unless you copy the running config to startup config- it won't remember it if it reboots)- sets it to how it was before.
Worst case... you have a saved copy of the config.

So you want to tell the router to not allow any outbound traffic from that IP then, right?
However, then you block ALL users on ALL stations/servers from using that IP address.

This is what is lacking in info. Have no idea how these IP addresses are used- or I could actually comment on it further.

By the way, Mr. G., don't buy into Cisco's SDM (the GUI interface). It's quite frankly, a giant POS. I've given it a go probably about a half dozen times, and even bought a book specifically for the SDM, and it has some pretty serious limits.
Learning all the CLI commands is the surest way to go, espeically when (if) you're trying to grasp the concepts.

I'd agree with this.
About the only thing I use it for is to "read" quickly what is doing what (organizes it pretty nice) and save configs to my computer.
But when you are actually modifying the router- it is a major pain.

If you are having to PAY for it (it didn't come with it), I'd not waste the money.

 

[kumquat]

To the OP:

I'm sorry, but you are wholly and utterly unqualified to be administering this network.


To shade_star:

Putting users into the admin group in a domain environment is a massive failure of basic network administration no matter the environment.

 

[MrGuvernment]

No need to apolohgies Kumquat, i know ilack alot of knowledge and i am sure what i do know does not come across well in forum posts, i am one who has trouble putting things into words so i tend to use bad terminology, but also remeber, i was not the one doing it before, so all of these problems werent implemented or caused by me but by others who were too stuborn to ask for help and would just "wing it", why i wanted to get a new router that would allow easier access to it, i know what needs to be done, but it is just learning how to do it with a cisco 1700 is my problem, i was even considering if i could do it, just use the cisco to open an IP and then run it right into a firewall, Juniper, ISA, watchguard or something and then do all the limiting on the firewall side and basically only use the cisco as a connection to the T1, but seems a waste.

We do have the CEO who travels often during the day with his laptop, that was the first issue i was thinking about if i made up a DC, we have 4 users and will have with in the next 2 months at least 4-5 servers running from the office, 4 MySQL DB's a, HTTP server and a back up system.

 

[Malk-a-mite]

Having them try to load software and get access denied or go into the c drive and get access denied or uninstall programs.

Odd that's exactly the reason every company I've ever worked at has not had the users as Admins on the local machines. What kind of company do you work at (tech, manuf, edu, med?)

 

[Eulogy]

Read:
This is what is lacking in info. Have no idea how these IP addresses are used- or I could actually comment on it further.

Good point.
OP, why do you have two public IPs? Perhaps you can eliminate this VERY easily by dropping the 2nd one?

 

[Jay_2]

Just use local permissions and cut the user access down. It will solve all your problems and some that you don't yet even know you have.

one of my office buildings has just 1 computer... just 1 stand alone unit and even that has the access limited using gpedit.msc

 

[shade_star]

Odd that's exactly the reason every company I've ever worked at has not had the users as Admins on the local machines. What kind of company do you work at (tech, manuf, edu, med?)

I work for a fortune 500 company. Thousands of clients.

 

[kumquat]

I work for a fortune 500 company. Thousands of clients.

You work for a Fortune 500 company with "thousands of clients" that allows all of their users to be administrators on their PCs?

Pathetic. This IT department should be ashamed of itself.

 

[Haven]

You work for a Fortune 500 company with "thousands of clients" that allows all of their users to be administrators on their PCs?

Pathetic. This IT department should be ashamed of itself.

See I get confused by this attitude. Because all it takes is one badly written program to create a IT nightmare if the users are not admin of the local machine.

For example: The accounting program we use requires the user to have Admin access to the machine. The time entry program that ties into the accounting program also requires this. Under Windows XP I don't want to run around to everyone's computer every time they want to enter their time for the week or day.

Larger companies have more legacy programs than you can shake a stick at, that were originally written for Windows9x, and have been "upgraded" to work under Windows 2000 & XP. These programs still run with the idea that everyone has root access to their machines. Now what? Do you have an IT staff large enough to handle running around to every machine when someone needs to use one of these programs?

I used to work for a consulting company that contracted to Fortune 500 companies. I saw the crap they had when we tried to migrate to Windows NT 4.0 and 2000. I saw the issues with these programs. Putting the user as Admin for their machine was the only fix often times.

So again I say, do you have the staff to be able to run around to let people use these legacy programs that they need to use?

 

[kumquat]

See I get confused by this attitude. Because all it takes is one badly written program to create a IT nightmare if the users are not admin of the local machine.

For example: The accounting program we use requires the user to have Admin access to the machine. The time entry program that ties into the accounting program also requires this. Under Windows XP I don't want to run around to everyone's computer every time they want to enter their time for the week or day.

What accounting program is that? I've never seen a program that absolutely requires admin access to use. We have a few programs that need "special" permissions (such as write access to a directory or file) so we set up the initial prototype machine so that users have the specified access.

If your business is built around a program that "requires the user to have admin access" then the IT department failed anyway.

So again I say, do you have the staff to be able to run around to let people use these legacy programs that they need to use?

No, and we don't need it. We set the systems up the right way from the beginning. None of our 1000 users have admin access on their machine, and their workflow is fine, despite a myriad of legacy and external systems all over the organization.

 

[kumquat]

Every time I see the thread title I want to yell "NO! IT'S UNSTOPPABLE!"

 

[SockMan!]

No, and we don't need it. We set the systems up the right way from the beginning. None of our 1000 users have admin access on their machine, and their workflow is fine, despite a myriad of legacy and external systems all over the organization.

You're quite fortunate. I work for a small/medium business and we're just one program away from getting everyone off as local admins. Unfortunately, that one program is one of our most important ones; thus half our users are still local admins on their computers.

 

[kumquat]

You're quite fortunate. I work for a small/medium business and we're just one program away from getting everyone off as local admins. Unfortunately, that one program is one of our most important ones; thus half our users are still local admins on their computers.

We're not fortunate. We worked our butts off to make our systems work this way. We're serious about network security.

What's the "one program"?

 

[Eulogy]

No, and we don't need it. We set the systems up the right way from the beginning. None of our 1000 users have admin access on their machine, and their workflow is fine, despite a myriad of legacy and external systems all over the organization.

+1 here. 1600+ users on everything from thin clients to PCs. Considering some of the programs we run require DOS, I think we run some pretty old crap. Crappy as the program is, we still need to support it.
Who are all admins? 10 in total!
Oh, and the vast majority are on thin clients, so it'd be QUITE hard to give any access to a C: drive if we even had to.

 

[Orinthical]

I'll add that corrective action needs to be taken with this user. I suggest implementing some IT policies and have the users agree to them immediately if you have not already done so. This one person is single handedly compromising the mission of your organization, regardless of whether your router configuration is at fault. By all means, go fix it... but also fix the user who thinks he/she is god.

And I'll also comment on the whole user/administrator argument: I have worked in some of the largest and smallest environments in the world. The general security principle that most companies follow is to give the users the rights they need to do their job and little more.

Quite frankly, in a large organization you would be insane to allow all "Domain Users" administrative access to local machines. You've just created the potential for a spoofed user (or a ticked off user for that matter) to easily wipe out the entirety of your desktop force. How's that for an administrative nightmare? And what's worse? If "Domain Users" are members of the local Administrators group on all of your desktops, any user now has access to any file anywhere on any desktop. Congratulations, now your garbage man can read the CEO's local mail archive.

Legacy applications can be easily dealt with - if a select handful of your users need to access it, put them in a separate group that is a member of the local admin group or find out what registry keys and files the application is using and give them access to those specific areas. Better yet, just add their single account to the local administrators group of the machines they use. I used to do this all the time. Filemon and Regmon are great tools to have on your USB key.

I hate to sound all "end of the world" but people, especially administrators, need to understand that security is simply no laughing matter, especially in a large corporation.

 

[shade_star]

To each their own I guess....
Making the users members of the local admin group then modifying the GPO's to reflect a security policy is much easier then f'in around with local user groups.
But hey what do I know