System lock down for users on a business network.

T

Tech249

n00b
Joined
Sep 17, 2011
Messages
46
Does anyone do anything besides removing them from local admin group?

Business network with windows AD controller. Just researching some options for clients that have some tech savvy users that need a bit of protection but maybe not be completely stripped of admin rights for program install/updates.
 
What do you want to block or lock down?

Remove local admin rights is #1 and give access as it is needed.
 
Proper stratification of GPO's, group memberships, locations and OU's control access. This is not something that a blanket solution can be applied. It is heavily dependent on the particular AD's needs and conditions.

One thing I have run across before, especially on AD's setup by less than savvy admins, is setups where there is cross permissions via groups. A user has admin priv, even tough he is not a member of any admin groups. Dig deeper and that user is a member of a group that is a member of a group that is a member of an admin group. Sounds crazy, but I have seen it more than once.
 
Limiting/opening up install for users is easiest done by simply giving local admin to specific users on a case by case basis. This prevents any unintended access from being given out at a domain level. If they toss their machine, they get in line for a fix. Most savvy users run like this fine for years without issue.

Using GPO you can create policies to allow for software installations etc.
 
The absolute easiest way to do this if you want to allow users to install specific program is to use
Desktop Authority Management Suite.

It used to be by Scriptlogic and called Privilege Authority, but alas, Dell bought them out.

http://www.quest.com/desktop-authority-management-suite/

You can give users elevated privileges to specific programs.

There is another way that I have been working on/off, but it is definitely not ready for release, as it currently has to be compiled for each executable that is to be elevated.
 
I give regular users power user status, local admin for cad users.
Then have a written and signed policy that installing any unapproved software will result in termination of employment.
I then keep a repository of approved software on the server and they are only allowed to install it from there.
I often block the download of any kind of executable file or installer at the firewall except sources I white-list, windows update for wsus, adobe update, quickbooks update, and java update.
 
You must log in or register to reply here.
Back
Top