@scottalanmiller said in Re-evaluating Local Administrative User Rights:

@nadnerB said in Re-evaluating Local Administrative User Rights:

@Obsolesce said in Re-evaluating Local Administrative User Rights:

If it's about users doing something to work around company device management and security software, well then at that point it becomes a matter of company policy, management, and not an IT issue.

An ounce of prevention is better than a pound of cure.

Policies are only good if they followed, HR & management are only good if they have the balls to do something.
Chances are that a rogue actor won't care about policies or HR.

More importantly, normal end users are not trained to understand what they are doing in most cases. Ignore malicious actors, we are talking about good, well meaning people that HR has vetted. They still don't understand what "installing" means, they can't identify safe sources, they don't have the diligence to do package maintenance, they don't know overarching IT strategies, they don't control licensing or often even have awareness of it.

I like to remind people of this:

@Obsolesce said in Re-evaluating Local Administrative User Rights:

@nadnerB said in Re-evaluating Local Administrative User Rights:

@Obsolesce said in Re-evaluating Local Administrative User Rights:

@nadnerB said in Re-evaluating Local Administrative User Rights:

I'd say that most malware wants to write something to the local PC.

Right, but there are a lot of places on the PC you can write to that does not require local administrative privileges.

This is true, but that leaves very few places to write to. Chiefly, the users profile. Things executing from there should be heavily scrutinised by the A/V. Whilst not solving the issue, it does provide better protection.

I read that over 90% of ransomware, for example, does not require local admin rights...

Yeah, the miscreants are getting smarter.

@Obsolesce said in Re-evaluating Local Administrative User Rights:

I can understand an ALL-or-NOTHING approach, but this really is pretty much impossible. All-or-nothing as in 100% of company with zero local administrative user access on all devices.... not even exceptions or not even for a limited amount of time.

It doesn't have to be.
Power users, accounts with local admin right for specific users... it depends on how you/yur business want to skin the cat.

@Dashrender said in Re-evaluating Local Administrative User Rights:

@nadnerB said in Re-evaluating Local Administrative User Rights:

@Obsolesce said in Re-evaluating Local Administrative User Rights:

If it's about users doing something to work around company device management and security software, well then at that point it becomes a matter of company policy, management, and not an IT issue.

An ounce of prevention is better than a pound of cure.

Policies are only good if they followed, HR & management are only good if they have the balls to do something.
Chances are that a rogue actor won't care about policies or HR.

Right - but IT shouldn't be doing anything that HR and management aren't standing behind them on.

I know I hate this thinking/logic as much as most of the next IT pros, but if you really think about it, IT is an extension of the business - it really needs to allow/not allow only the things the business specifically cares about. Getting in the way of the rest just because "we know better" is not a reason to do it.

I have to remind myself of this on a near daily basis.

Example - we had users logging into Chrome on shared computers. This really bothered me because they never logged out before walking away. I rolled out a policy on those computers forcing them all into incognito mode, which prevented their ability to log in - of course it also changed the display to black and huge letters of incognito mode... I did inform all the users of the change, but still got push back.

Then one of the stake holders told me - remind me to tell you to not install a rollcage in my car - when I told him why the change was done. basically, he was telling me it wasn't my place to protect him because that was not an onus he or the other stakeholders put on me. He was right of course, and I instantly removed the incognito mode.

Always do what your boss wants, sure.
In my case, we've given our security requirements from further up the food chain, so our management don't have a choice in the matter.

@Obsolesce said in Re-evaluating Local Administrative User Rights:

@nadnerB said in Re-evaluating Local Administrative User Rights:

I'd say that most malware wants to write something to the local PC.

Right, but there are a lot of places on the PC you can write to that does not require local administrative privileges.

This is true, but that leaves very few places to write to. Chiefly, the users profile. Things executing from there should be heavily scrutinised by the A/V. Whilst not solving the issue, it does provide better protection.

@Obsolesce said in Re-evaluating Local Administrative User Rights:

If it's about users doing something to work around company device management and security software, well then at that point it becomes a matter of company policy, management, and not an IT issue.

An ounce of prevention is better than a pound of cure.

Policies are only good if they followed, HR & management are only good if they have the balls to do something.
Chances are that a rogue actor won't care about policies or HR.

@Obsolesce said in Re-evaluating Local Administrative User Rights:

It seems like restricting users to non-admin privileges causes more inconvenience and service desk overhead than it's actually worth. And, from a security perspective, doens't really seem like any more of a factor one way over the other.

The sacle of security vs convenience is a hard one to get right.
This is where having a software library for sanctioned applications (not part of the SOE) can be held so users can install themselves. For example, the SCCM Software Center.

Yeah, there's going to be some initial pain with certain functions not being available but this is where SOME things can be done by members of the Power Users group.

@Obsolesce said in Re-evaluating Local Administrative User Rights:

If the concern is about malware, well, most malware is just as dangerous in the non-admin user space anyways. Also, the AV should pick up that type of malware / bad apps anyways. Other stuff woudl run in the user space where local admin wouln't matter.

Security is multifaceted and Admin rights is merely one facet.
A/V is another but you can't do without it just because you have no local admins.

A/V isn't 100%, just as removing admin rights isn't a 100% effective security measure but together they make a really good combo.

Granted not all malware needs rights to run, especially if it just sits in RAM and is returning info to a C&C server but I'd say that most malware wants to write something to the local PC. Having removed admin rights, you have defeated something that the A/V vendor doesn't yet have a signature for.

@scottalanmiller said in What Are You Doing Right Now:

@coliver said in What Are You Doing Right Now:

@scottalanmiller said in What Are You Doing Right Now:

Had my car towed illegal tonight. Was properly parked and a towing company just came and took it. Argh.

Time to go carless.

This definitely goes in my "why to be carless" bucket. I've been thinking that all night.

Yes, less car, more tank.

@siringo said in What Are You Doing Right Now:

@nadnerB said in What Are You Doing Right Now:

@siringo said in What Are You Doing Right Now:

hmmm.
post on another forum about a trip to the doctor.
advert for doctor in the suburb where my ISP supplied IP address tracks to, shows up in FB
read post on another forum about a bloke who's just put in a concrete floor for a new shed he's building.
advert for concreter shows up on FB.
this is getting out of hand.
am I being stupid if I begin to look for a secure browser?

uBlock Origin, and a PiHole (https://mangolassi.it/tags/pi-hole) work wonders.
Also, logging out of BookFace when you're not using it is also good.

Thanks mate, I'll check that out.

How's the heat going??

Almost lost my eye brows when I've been out... but for the most part, I'm cheating by staying in my air conditioned office.
We have hit 42 so far, and had the mobile network go a bit wobbly for a while. Evidently it's not handling the heat from the last few days well.