Local Admin Frustration
I work at a company that is IT focused and has only been around for less than two years. We have been building the IT infrastructure and policies as we go, like building an airplane while flying it. Early on we had a lot of requests for Local Admin rights on machines because people said they needed it to do their jobs. It's gotten a bit out of hand and now most of the company has Local Admin rights and it's caused some problems.
How do you all suggest handling requests for Local Admin rights? Most of the need is to install programs on their own. Is there a superuser type account that may be better for this?
I would love to hear some opinions on this.
Thanks
How do you all suggest handling requests for Local Admin rights? Most of the need is to install programs on their own. Is there a superuser type account that may be better for this?
I would love to hear some opinions on this.
Thanks
Current: CISM, CISA, CISSP, SSCP, GCIH, GCWN, C|EH, VCP5-DCV, VCP5-DT, CCNA Sec, CCNA R&S, CCENT, NPP, CASP, CSA+, Security+, Linux+, Network+, Project+, A+, ITIL v3 F, MCSA Server 2012 (70-410, 70-411, 74-409), 98-349, 98-361, 1D0-610, 1D0-541, 1D0-520
In Progress: Not sure...
In Progress: Not sure...
Comments
-
JasminLandry Member Posts: 601 ■■■□□□□□□□It depends on their role, but I wouldn't let them install anything by their selves. I would have them make a request to the help desk or to whoever to have the right person witht he right access do it for them.
-
YFZblu Member Posts: 1,462 ■■■■■■■■□□First thing's first: Write a new policy for this. Otherwise telling people "no" will have no real meaning. In terms of handling the software piece, you could create an internal repository of approved / vetted software, and allow people to download and install from that repository without local admin privileges. All other requests would need an approved exception from multiple layers of management - and even then, approved software would be installed by a member of the technical staff.
After the new policy is written and put in place, it might be a good idea to conduct an audit of local admin privileges. As you know, this could cause serious problems down the road if left to fester on its own. -
ScrawnyRonnie Member Posts: 112When I started at my current job I was told to set up users as local administrators. I haven't asked why it is this way, but it's probably the same reasons as yours. The problem I come across is people installing random programs (not work related) and their PCs are getting infected. I'd rather get a call requesting approval to install a program instead of having to clean up their mess, but I'm not the decision maker.
-
gc8dc95 Member Posts: 206 ■■□□□□□□□□Need to get a policy in place and some kind of application management. I give very few people admin rights.
-
dimeified Member Posts: 13 ■□□□□□□□□□let them do whatever the F they want. the more rope you give them to hang themselves, the better your job security, and the satisfaction of saying "I told you so." Just be sure your stance is clear so they don't blame you later for "allowing" them to force you to give everyone local admin.
-
JasminLandry Member Posts: 601 ■■■□□□□□□□let them do whatever the F they want. the more rope you give them to hang themselves, the better your job security, and the satisfaction of saying "I told you so." Just be sure your stance is clear so they don't blame you later for "allowing" them to force you to give everyone local admin.
I have to disagree with this one. What if they install a program in it infects their PC that then goes throughout the network and infects one of the critical servers. The blame is not going to be on the person who installed the program or who asked for the admin rights, it will be on the IT people who should've protected the server better or who should've not given this person local admin rights. -
tstrip007 Member Posts: 308 ■■■■□□□□□□let them do whatever the F they want. the more rope you give them to hang themselves, the better your job security, and the satisfaction of saying "I told you so." Just be sure your stance is clear so they don't blame you later for "allowing" them to force you to give everyone local admin.
This does not work at my company. Always get "why were they allowed to in the first place". and I say "Told you they would install whatever and fit would hit the shan". "Well ahhhh well they shoudn't been able to, no matter what we say". Its a lose/lose situation here.
btw its easy to spot the download happy people. They have like 6+ toolbars in their browser. -
iBrokeIT Member Posts: 1,318 ■■■■■■■■■□let them do whatever the F they want. the more rope you give them to hang themselves, the better your job security, and the satisfaction of saying "I told you so." Just be sure your stance is clear so they don't blame you later for "allowing" them to force you to give everyone local admin.
That's a very immature and unprofessional way to go about it if you use that type of communication.
You need to make your case in a more professional manner. Write a new policy that explain the risks and business impact of installing unauthorized software (virus & malware issues, legalities regarding licensing, loss of company data and employee productivity, lack documentation about what software was on the machine and used by that employee, ect). Create a repository of all business related software and create an approval process for upgrades and new software. Sit down with your manager and explain why it necessary and a common business practice to implement such a policy.2019: GPEN | GCFE | GXPN | GICSP | CySA+
2020: GCIP | GCIA
2021: GRID | GDSA | Pentest+
2022: GMON | GDAT
2023: GREM | GSE | GCFA
WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops | SANS Grad Cert: Incident Response -
emerald_octane Member Posts: 613unfortunately this wouldn't work in my org (tech focused company). Half are devs who would scream for bloody murder if they didn't have them. Lets put it this way, given the culture, i'm lucky I have admin rights, and I provisioned the machines!
-
dimeified Member Posts: 13 ■□□□□□□□□□That's a very immature and unprofessional way to go about it if you use that type of communication.
You need to make your case in a more professional manner. Write a new policy that explain the risks and business impact of installing unauthorized software (virus & malware issues, legalities regarding licensing, loss of company data and employee productivity, lack documentation about what software was on the machine and used by that employee, ect). Create a repository of all business related software and create an approval process for upgrades and new software. Sit down with your manager and explain why it necessary and a common business practice to implement such a policy.
Sure, but in some places, the boss wants what the boss wants, your damned if you do, damned if you don't. People and especially upper management feel the need to dictate, rather than act on advise from the experts they hire. All the fact pointing, concern, reports, and genuine enthusiasm is mute on def ears if your management is stubborn. -
iBrokeIT Member Posts: 1,318 ■■■■■■■■■□the more rope you give them to hang themselves, the better your job security, and the satisfaction of saying "I told you so."
If you make a strong case to the best of your professional ability and advising them it goes against your professional recommendation and they still reject it then you need to live with it. If you cannot live with it then start updating the resume because the network isn't "Yours" and you dont own it even though you may be responsible for it. At no point should you tell your boss "I told you so" - that is the fast lane to getting fired.2019: GPEN | GCFE | GXPN | GICSP | CySA+
2020: GCIP | GCIA
2021: GRID | GDSA | Pentest+
2022: GMON | GDAT
2023: GREM | GSE | GCFA
WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops | SANS Grad Cert: Incident Response -
RouteMyPacket Member Posts: 1,104Start with defining an AUP (Acceptable Use Policy) in which everyone will sign. Then you enforce it via SCCM and publish apps for users to install anytime they like. I think you can also set it up so that it scans machines to ensure they remain in policy (don't remember the terms exactly) such as having AV, Sophos bla bla. I think it can also remove any applications that have been installed that aren't approved?
I'd ask the MS geeks in detail on this one. At least I think SCCM has some functions like this?Modularity and Design Simplicity:
Think of the 2:00 a.m. test—if you were awakened in the
middle of the night because of a network problem and had to figure out the
traffic flows in your network while you were half asleep, could you do it?