[Samba] Making users local administrators

Terry Austin terry at crownhardware.com
Thu Mar 21 09:28:57 MDT 2013 

On 21 Mar 2013 at 8:14, Gerry Reno wrote:

> On 03/21/2013 05:29 AM, L.P.H. van Belle wrote:
> > DONT DO IT !!  
> >
> > This is Administrators 1ste rule !! 
> > NEVER, but then NEVER giver users Administrator/PowerUser rights. 
> >
> > Do not give the users ability to install software, wrong wrong... 
> >
> > This is you trojans/Virussus etc come in your computer. 
> >
> > and if you do give these rights, 
> > Do not install Adobe Flash, Adobe Reader, Java. ( especialy Java ) 
> >
> >
> > Its simpel, without Admin rights on users, you pc is about 90% more safer. 
> > if you also remove flash java adobe, you are about 99,5% safe. 
> >
> > If you have an application which needs extra rights. 
> > Do it save, how...  
> >
> > 1 create a network group voor this App.. example PHOTOSHOPRIGHTS 
> >
> > Set in het registry, on the photoshop, the domain group to able to write.
> > ( if needed, us a monitor tool to look which registry things need write access ) 
> >
> > Set on the folder ) c:\program files\Photoshop ) the domain group to write. 
> >
> > Now you have a hole on the pc, but no trojan/virus is able to install itself.
> >
> > Good luck.  
> >
> > Louis
> >
> >
> 
> I would agree, Louis.
> 
> Giving out local admin rights is pretty much sysadmin suicide.
> 
Hasn't been yet, in 15 years of running a network that I built myself. I 
know the risks. Sometimes, bad things happen. They're not the end of the 
world. The stuff that needs to be protected is protected. That's why I need 
to give users *local* admin rights. The easy way would have been to make 
them all administrators, but I need them to *not* have domain admin rights 
for the very reasons you mention. If a particular machine gets toasted, it 
gets wiped and reinstalled. Takes a couple of hours, nothing that matters 
is lost, and everything is fine. Been there many times.

And we *can't* run our business without using certain software and web 
sites that were made by people who, let's be polite, made some design 
choices I wouldn't have made, that necessitate this.

Not everybody has the luxury of using purely technical criteria to decide 
what the "right" way to do things is.

More information about the samba mailing list