Vista running in a Domain

Hi Guys

Merry Christmas to all.

We are in the process of planning implementing Vista OS into our Windows 2003 Domain.

I would like to take advantage of the UAC benefits and attempt to prevent users installing "rubbish" on their computers. With XP we added "domain users" into the local admin group on the workstations. I would like to avoid this if possible with vista.

During my initial testing, removing the domain users from this group has prevented logon due to domain users not be in the "allow log on locally" policy.

Just interested on what methods others have used to attempt to keep the Vista computers secure. I would love to get to the point that "standard users/domain users" cannot get pass the UAC prompt for credentials, using the domain user id's. i.e Domain admins are needed to enter credentials if users need to install software or perfom admin tasks

look forward to replies

Stephen

Find more posts tagged with

Comments

nel

i would love to have a crack at your answer but our workplace isnt upgrading for the forseable short term future

iowatech

I implemented a few Vista Ultimates into the network, and to be honest they come secure enough out the box almost to secure from a remote help desk standpoint. Haven't really looked into a way to prompt credintials to be entered when the UAC comes up though, we just haven't had the need is all.

Other than a couple minor issues I'm impressed that Vista plays as nice as it does on a domain.

dynamik

I'd really start experimenting with group policy. They've really expanded on it a lot. You'll probably find much of the functionality you're looking for with that. Unfortunately, it looks like you are going to need Server 2008 to take advantage of that: http://technet2.microsoft.com/WindowsVista/en/library/5ae8da2a-878e-48db-a3c1-4be6ac7cf7631033.mspx?mfr=true

sprkymrk

Why were you adding Domain Users to local admins?

Sorry for being nosey.

SWM

Sorry for being nosey

Thats OK

Most XP computers I come across at numerous organisations have "Domain users group" in the XP local Administrator group. I.e the Domain user has full conrol of the XP computer.

I am wanting to avoid this with Vista

CoryS

You know sadly that seems to be the standard pretty much everywhere I have been. Instead of dealing with setting it up in a "secure" fashion the norm is to give them the keys and if (when) they break it, send helpdesk. This policy has kept many a helpdesk person in a job I presume. Just my 3 cents.

famosbrown

SWM wrote:

Sorry for being nosey

Thats OK

Most XP computers I come across at numerous organisations have "Domain users group" in the XP local Administrator group. I.e the Domain user has full conrol of the XP computer.

I am wanting to avoid this with Vista

I've never been in an environment where all users were given Local Admin rights...especially using Restricted Groups through GPO. By default, they should be able to log in interactively onto the Windows XP domain computer. The only time I recommend giving users Local Admin is if they either wine enough to get someone above me to approve it, or two, they actually need it...for instance a dev, QA, Test Box, etc, and usually these are are standalones, or on isolated networks. Otherwise, I will find out exactly what permissions/rights are needed, and grant them specifically what they need to do their job. I even avoid the Power Users Group. Software that goes through the Windows Logo Program shouldn't have problems running with a regular User account anyway. Giving users Local Admin just opens up a lot of possiblities for something going wrong, wasted support, downtime, etc. To me, it's the easy way out for lazy I.T. Professionals, Desktop Support, or whoever is responsible for making that decision.

Just my QUICK 2 cents about it...trust me...I could go ON!!!

sprkymrk

famosbrown wrote:

SWM wrote:

Sorry for being nosey

Thats OK

Most XP computers I come across at numerous organisations have "Domain users group" in the XP local Administrator group. I.e the Domain user has full conrol of the XP computer.

I am wanting to avoid this with Vista

I've never been in an environment where all users were given Local Admin rights...especially using Restricted Groups through GPO. By default, they should be able to log in interactively onto the Windows XP domain computer. The only time I recommend giving users Local Admin is if they either wine enough to get someone above me to approve it, or two, they actually need it...for instance a dev, QA, Test Box, etc, and usually these are are standalones, or on isolated networks. Otherwise, I will find out exactly what permissions/rights are needed, and grant them specifically what they need to do their job. I even avoid the Power Users Group. Software that goes through the Windows Logo Program shouldn't have problems running with a regular User account anyway. Giving users Local Admin just opens up a lot of possiblities for something going wrong, wasted support, downtime, etc. To me, it's the easy way out for lazy I.T. Professionals, Desktop Support, or whoever is responsible for making that decision.

Just my QUICK 2 cents about it...trust me...I could go ON!!!

+1, no make that +2.

That means everyone can access everyone else's personal documents. If everyone is an admin on everyone's computer their is no access control unless EVERYTHING is on servers.

Marphyre

Gotta agree with the last couple of posters - there should be very few times that a user should be a local admin on a computer (I only have 1 where this is the case other than myself, and that's the CEO, because he had to have the ability to install stuff when he wanted to). Before I came on board here, everyone was a local admin, but I quickly put a stop to that. My first couple of months here there were a bunch of spyware/viruses/whatever getting around, making everyone a regular user put a stop to all of that - I've had one piece of spyware to get rid of since making the change, and no viruses (network of 165 workstations and ~30 laptops, just me in IT). If a program isn't getting along without admin rights, usually you can find the files that it uses and just give them modify rights to those files and the program will be happy. Granted I have to install printer drivers for them, but I'd rather spend 5-10 minutes getting a couple of printers working than 1-2 hours removing spyware/viruses and assessing damage.

And eh, I could go on too

Users aren't happy getting privileges taken away, but in my experience they get over it

SWM

I guess I should explain more about my client base. I work for a business that supports small businesses with staff from 5-100 people.

None of these businesses have dedicated IT people. They call for help when required. I think I have only come accross one site where domin users was not in the local admin group. i.e I find it to be the norm.

Most of these businesses do not want to call us when they add a printer or want to install a new app.

I am trying to put a line in the sand with Vista and break the "have full rights and I will fix it later routine"
Have other Admins been

they should be able to log in interactively onto the Windows XP domain computer

just utilising the Visa interactive settings as well.

Would like to know what other people have been doing with Vista security

Thanks for the replies.

nel

ive worked in an environment where everyone had local admin rights. reason being that there production software (which is the core of the business and makes the $$$) would not work unless the user had admin rights to the pc.

Thiassi

nel wrote:

ive worked in an environment where everyone had local admin rights. reason being that there production software (which is the core of the business and makes the $$$) would not work unless the user had admin rights to the pc.

Unfortunately, it's the exact same at my place of work too.

snadam

Thiassi wrote:

nel wrote:

ive worked in an environment where everyone had local admin rights. reason being that there production software (which is the core of the business and makes the $$$) would not work unless the user had admin rights to the pc.

Unfortunately, it's the exact same at my place of work too.

make it 3...but we are working on hardening the groups rights/permissions...so far so good.

im curious if you're willing to give us the app's name?

RobertKaucher

Thiassi wrote:

nel wrote:

ive worked in an environment where everyone had local admin rights. reason being that there production software (which is the core of the business and makes the $$$) would not work unless the user had admin rights to the pc.

Unfortunately, it's the exact same at my place of work too.

You can actually avoid this by finding out which registry keys the app needs access to and change the permissions on those keys only. This will mitigate the risk of making the users local administrators. Of course you would need to test this before you went live with it. But I would bet this would work. You should also be able to set the permissions via a group policy in most cases.

1. Find the registry keys and test on one machine.
2. Modify local settings on a few more tolerant individuals' machines.

If that all goes well...

3. apply a security template via a GPO removing users from the local admins group.
4. Apply the GPO giving access to the required registry keys.

Four "easy" steps and a big security vulnerability is closed up on your domain!