> True enough, but unlikely to be a significant risk. If you are concerned about it then it is much easier to have a separate AD account that only has local administrator on normal (non-admin) workstations and use that.
I strongly disagree. If an attacker gains access to a system as an admin user, that is a much larger problem than a non-admin user. Designing an environment as you suggested helps compartmentalize that, but it doesn't help the fact that a SAM database from one of those machines can potentially spell an almost company-wide compromise. Such a strategy gives far too much opportunity for lateral movement in case of a single compromised machine.
> It is trivial to block or even reroute DNS queries to unapproved servers at the firewall.
That's a good point.
>I disagree. Anti-virus software has negative value and always causes significantly more trouble than it is worth. Case in point, the very issue we're talking about.
Regardless of your feelings on antivirus (I'm ambivalent myself), I don't quite see how a potential abuse of an antivirus software, which can lead to EoP, is justification for allowing all users in an enterprise to have full local admin privileges. You're cutting out the step where an attacker has to exploit an EoP vulnerability.
> This is a minor inconvenience at best, that's what imaging is for.
True, but if I can avoid the trouble by limiting user privileges, why not?
> If it were a nightmare, I'd have expected to see more issues arise from it throughout my career, but I've yet to see even one instance where a user having local admin has caused any significant trouble.
It's possible it may never be a problem in $arbitraryEnvironment, but that doesn't make it good security practices. I can imagine that in smaller environments, it may even be somewhat manageable.
There will probably be circumstances that create a need for local admin access as you described, but I don't think it should be the modus operandi.
> I strongly disagree. If an attacker gains access to a system as an admin user, that is a much larger problem than a non-admin user.
Not really. There's quite a lot you can do as a non-admin user too you know. You can probe anything on the internal network that machine has access to and act as a relay for the attacker, for instance. Since the user does work for the company, they probably already have access to a lot of things the organization would rather not give out. Local admin gives you a few more options, but the difference isn't really worth special attention in my book.
> True, but if I can avoid the trouble by limiting user privileges, why not?
Because you're also causing a lot of friction for the users. Users do work too you know, in aggregate hopefully a lot more than sysadmins. Every barrier you put between them and their work is a cost, and my argument is that the cost of locking everyone out of local admin pretty much always outweighs the benefits.
> I don't quite see how a potential abuse of an antivirus software, which can lead to EoP, is justification for allowing all users in an enterprise to have full local admin privileges.
It isn't, it's justification for disregarding "could disable the virus scanner" as a valid reason for denying local admin to the user.
"Good security practice" is often, in my experience, either a lot of academic crap that completely ignores the concept of risk analysis, or what someone who's trying to sell you something recommends. Every barrier you put between people and their ability to do work for the company is a cost that you have to justify against the cost of a compromise and the probability of said compromise actually occurring.
Depending on your environment, that level of cost may be worth it, but I think that's true for a much smaller segment than a lot of people who argue the point. I suspect this is because my paycheck depends on keeping the business running smoothly, not selling security consulting services.
> Not really. There's quite a lot you can do as a non-admin user too you know.
Yeah, of course. Otherwise ransomware would be much less prevalent than it is today. That said, there's quite a bit an admin user can do that a normal one cannot. I suppose we just disagree on how important the distinction is.
> Local admin gives you a few more options, but the difference isn't really worth special attention in my book.
And that's fine, but surely you can see why plenty of organizations feel that it is, right?
> Because you're also causing a lot of friction for the users...Every barrier you put between them and their work is a cost, and my argument is that the cost of locking everyone out of local admin pretty much always outweighs the benefits.
Well I can only speak to my experiences, but given the technical knowledge of 90% users on systems I support...it is definitely worth the cost.
> It isn't, it's justification for disregarding "could disable the virus scanner" as a valid reason for denying local admin to the user.
Touché. That said, in environments with antivirus requirements, for whatever reason, a user being able to remove such a program is a problem.
> "Good security practice" is often, in my experience, either a lot of academic crap that completely ignores the concept of risk analysis, or what someone who's trying to sell you something recommends.
The same could be said RE: antivirus. In many situations, protecting a user from running dangerous applications (e.g. a trojan delivered by a social engineering attack) is likely more important than a hypothetical escalation of privilege by a user who calls helpdesk every time their password expires.
> Depending on your environment, that level of cost may be worth it, but I think that's true for a much smaller segment than a lot of people who argue the point. I suspect this is because my paycheck depends on keeping the business running smoothly, not selling security consulting services.
Hey, it sounds like we're in the same business! :) I agree, different environments = different requirements. But that doesn't make for good headlines, either.
> Well I can only speak to my experiences, but given the technical knowledge of 90% users on systems I support...it is definitely worth the cost.
Is this meant to mean they have high or low technical knowledge? Because we support some users with a decidedly low understanding of... well, everything really, and it hasn't been a problem. They still give help desk a lot of grief, but it's because they don't know that windows can be minimized and things like that. Accidentally installing malicious applications or other reasons you'd think of restricting them really just doesn't come up.
Well, there are two groups that worry me: those that don't know Windows can be minimized, and those who believe they're much better at using computers than they actually are. And honestly, the second group worries me more.
That group doesn't represent the majority of users by any means, of course.
I strongly disagree. If an attacker gains access to a system as an admin user, that is a much larger problem than a non-admin user. Designing an environment as you suggested helps compartmentalize that, but it doesn't help the fact that a SAM database from one of those machines can potentially spell an almost company-wide compromise. Such a strategy gives far too much opportunity for lateral movement in case of a single compromised machine.
> It is trivial to block or even reroute DNS queries to unapproved servers at the firewall.
That's a good point.
>I disagree. Anti-virus software has negative value and always causes significantly more trouble than it is worth. Case in point, the very issue we're talking about.
Regardless of your feelings on antivirus (I'm ambivalent myself), I don't quite see how a potential abuse of an antivirus software, which can lead to EoP, is justification for allowing all users in an enterprise to have full local admin privileges. You're cutting out the step where an attacker has to exploit an EoP vulnerability.
> This is a minor inconvenience at best, that's what imaging is for.
True, but if I can avoid the trouble by limiting user privileges, why not?
> If it were a nightmare, I'd have expected to see more issues arise from it throughout my career, but I've yet to see even one instance where a user having local admin has caused any significant trouble.
It's possible it may never be a problem in $arbitraryEnvironment, but that doesn't make it good security practices. I can imagine that in smaller environments, it may even be somewhat manageable.
There will probably be circumstances that create a need for local admin access as you described, but I don't think it should be the modus operandi.