[Samba] Making users local administrators
terry at crownhardware.com
Thu Mar 21 09:28:57 MDT 2013
On 21 Mar 2013 at 8:14, Gerry Reno wrote:
> On 03/21/2013 05:29 AM, L.P.H. van Belle wrote:
> > DONT DO IT !!
> > This is Administrators 1ste rule !!
> > NEVER, but then NEVER giver users Administrator/PowerUser rights.
> > Do not give the users ability to install software, wrong wrong...
> > This is you trojans/Virussus etc come in your computer.
> > and if you do give these rights,
> > Do not install Adobe Flash, Adobe Reader, Java. ( especialy Java )
> > Its simpel, without Admin rights on users, you pc is about 90% more safer.
> > if you also remove flash java adobe, you are about 99,5% safe.
> > If you have an application which needs extra rights.
> > Do it save, how...
> > 1 create a network group voor this App.. example PHOTOSHOPRIGHTS
> > Set in het registry, on the photoshop, the domain group to able to write.
> > ( if needed, us a monitor tool to look which registry things need write access )
> > Set on the folder ) c:\program files\Photoshop ) the domain group to write.
> > Now you have a hole on the pc, but no trojan/virus is able to install itself.
> > Good luck.
> > Louis
> I would agree, Louis.
> Giving out local admin rights is pretty much sysadmin suicide.
Hasn't been yet, in 15 years of running a network that I built myself. I
know the risks. Sometimes, bad things happen. They're not the end of the
world. The stuff that needs to be protected is protected. That's why I need
to give users *local* admin rights. The easy way would have been to make
them all administrators, but I need them to *not* have domain admin rights
for the very reasons you mention. If a particular machine gets toasted, it
gets wiped and reinstalled. Takes a couple of hours, nothing that matters
is lost, and everything is fine. Been there many times.
And we *can't* run our business without using certain software and web
sites that were made by people who, let's be polite, made some design
choices I wouldn't have made, that necessitate this.
Not everybody has the luxury of using purely technical criteria to decide
what the "right" way to do things is.
More information about the samba