Grant local admin rights or not
We're currently migrating to a new desktop (win 7) with a new backend (win 2K8 r2). One of our discussions is about to grant user local admin rights to their own desktops or not. According to Microsoft: "As a security best practice, it is recommended that you do not log on to your computer with administrative credentials". However, we do want users to be able to install their own software on their laptops. One way would be to use UAC, however after a little search 8 out of 10 exploits worked around UAC. So I was thinking about implementing a kind of hybrid local admin functionality. So don't let the user be local admin with their domain account, but add an account with local admin privileges which they only could you use to install some software (shift - right click => run as different user). My main concern to not letting be local admin with their main account would be security on the network. What is Microsoft's advice on this and how to other companies handle this? Can you set up an account in such way that it can not log on to the desktop but still can be used in the 'run as different user' option?
March 26th, 2012 10:20am

This question is legal one in the coming BYOD trend. My view of security is based on two simplified aspects: 1. What is the cost of infrastructure and knowledge that the company (institution) owns and what is the impact of its leak. 2. From the network administrator it is the aspect of system and data recovery. If the admin access wins, then make good recovery plan, do audit and prepare the network rules that managemet accepts as company "law". Regards Milos
Free Windows Admin Tool Kit Click here and download it now
March 27th, 2012 3:16pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics