changing from admin to lua

Discussion in 'other security issues & news' started by beethoven, Nov 30, 2008.

Thread Status:
Not open for further replies.
  1. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,390
    One department in our business has been running all pc as admin accounts in the past. Nobody there really needs to be an admin and should only be able to use the installed software as is.
    What is the procedure to change them to limited users now? Are there any issues with doing that and would I do that via control panel/user accounts - setting up new user accounts and change the password on admin or is there a different/better procedure?
    Also, with respect to the currently installed software, should I expect any issues for the users when they log on in future?

    I am not concerned with what is installed now (I will check that carefully) but I want to prevent new software to be installed willy nilly or changes to be done by malware using the admin account.

    I also read on this thread something about other software that reduces rights of users - can someone please point me in the direction? Is this something else I should consider?
     
    beethoven, Nov 30, 2008
    #1
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    One easy method to lock down existing admin accounts would be to create Software Restriction Policies (SRP) and apply them to all users including admins: Using Software Restriction Policies to Protect Against Unauthorized Software. SRP can be toggled on/off easily. It would involve less setup time than downgrading or creating new users and then making sure their software environment continues to work as expected.

    Nick
     
    nick s, Nov 30, 2008
    #2
  3. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    241
    Here are three wonderful links:

    http://www.mechbgon.com/build/Limited.html#setup
    http://www.mechbgon.com/srp/index.html
    http://www.mechbgon.com/build/router.html
     
    ParadigmShift, Nov 30, 2008
    #3
  4. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    If this has been done for a longer period, I suggest that you and your colleagues even schedule for formating and reinstall the OS during a low-activity period, i.e. if this is possible. Creating new restricted accounts should preferably be done on a new and clean system. Check the used applications on one system first for confirmation that it works, before applying to the rest. If there are some problematic applications, locate the registry keys/files and change the permissions.

    If you simply want to prevent new software from been installed, then you could easily apply SRP as nick_s suggested.

    /C.
     
    Cerxes, Nov 30, 2008
    #4
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...