> I strongly disagree. If an attacker gains access to a system as an admin user, that is a much larger problem than a non-admin user.
Not really. There's quite a lot you can do as a non-admin user too you know. You can probe anything on the internal network that machine has access to and act as a relay for the attacker, for instance. Since the user does work for the company, they probably already have access to a lot of things the organization would rather not give out. Local admin gives you a few more options, but the difference isn't really worth special attention in my book.
> True, but if I can avoid the trouble by limiting user privileges, why not?
Because you're also causing a lot of friction for the users. Users do work too you know, in aggregate hopefully a lot more than sysadmins. Every barrier you put between them and their work is a cost, and my argument is that the cost of locking everyone out of local admin pretty much always outweighs the benefits.
> I don't quite see how a potential abuse of an antivirus software, which can lead to EoP, is justification for allowing all users in an enterprise to have full local admin privileges.
It isn't, it's justification for disregarding "could disable the virus scanner" as a valid reason for denying local admin to the user.
"Good security practice" is often, in my experience, either a lot of academic crap that completely ignores the concept of risk analysis, or what someone who's trying to sell you something recommends. Every barrier you put between people and their ability to do work for the company is a cost that you have to justify against the cost of a compromise and the probability of said compromise actually occurring.
Depending on your environment, that level of cost may be worth it, but I think that's true for a much smaller segment than a lot of people who argue the point. I suspect this is because my paycheck depends on keeping the business running smoothly, not selling security consulting services.
> Not really. There's quite a lot you can do as a non-admin user too you know.
Yeah, of course. Otherwise ransomware would be much less prevalent than it is today. That said, there's quite a bit an admin user can do that a normal one cannot. I suppose we just disagree on how important the distinction is.
> Local admin gives you a few more options, but the difference isn't really worth special attention in my book.
And that's fine, but surely you can see why plenty of organizations feel that it is, right?
> Because you're also causing a lot of friction for the users...Every barrier you put between them and their work is a cost, and my argument is that the cost of locking everyone out of local admin pretty much always outweighs the benefits.
Well I can only speak to my experiences, but given the technical knowledge of 90% users on systems I support...it is definitely worth the cost.
> It isn't, it's justification for disregarding "could disable the virus scanner" as a valid reason for denying local admin to the user.
Touché. That said, in environments with antivirus requirements, for whatever reason, a user being able to remove such a program is a problem.
> "Good security practice" is often, in my experience, either a lot of academic crap that completely ignores the concept of risk analysis, or what someone who's trying to sell you something recommends.
The same could be said RE: antivirus. In many situations, protecting a user from running dangerous applications (e.g. a trojan delivered by a social engineering attack) is likely more important than a hypothetical escalation of privilege by a user who calls helpdesk every time their password expires.
> Depending on your environment, that level of cost may be worth it, but I think that's true for a much smaller segment than a lot of people who argue the point. I suspect this is because my paycheck depends on keeping the business running smoothly, not selling security consulting services.
Hey, it sounds like we're in the same business! :) I agree, different environments = different requirements. But that doesn't make for good headlines, either.
> Well I can only speak to my experiences, but given the technical knowledge of 90% users on systems I support...it is definitely worth the cost.
Is this meant to mean they have high or low technical knowledge? Because we support some users with a decidedly low understanding of... well, everything really, and it hasn't been a problem. They still give help desk a lot of grief, but it's because they don't know that windows can be minimized and things like that. Accidentally installing malicious applications or other reasons you'd think of restricting them really just doesn't come up.
Well, there are two groups that worry me: those that don't know Windows can be minimized, and those who believe they're much better at using computers than they actually are. And honestly, the second group worries me more.
That group doesn't represent the majority of users by any means, of course.
Not really. There's quite a lot you can do as a non-admin user too you know. You can probe anything on the internal network that machine has access to and act as a relay for the attacker, for instance. Since the user does work for the company, they probably already have access to a lot of things the organization would rather not give out. Local admin gives you a few more options, but the difference isn't really worth special attention in my book.
> True, but if I can avoid the trouble by limiting user privileges, why not?
Because you're also causing a lot of friction for the users. Users do work too you know, in aggregate hopefully a lot more than sysadmins. Every barrier you put between them and their work is a cost, and my argument is that the cost of locking everyone out of local admin pretty much always outweighs the benefits.
> I don't quite see how a potential abuse of an antivirus software, which can lead to EoP, is justification for allowing all users in an enterprise to have full local admin privileges.
It isn't, it's justification for disregarding "could disable the virus scanner" as a valid reason for denying local admin to the user.
"Good security practice" is often, in my experience, either a lot of academic crap that completely ignores the concept of risk analysis, or what someone who's trying to sell you something recommends. Every barrier you put between people and their ability to do work for the company is a cost that you have to justify against the cost of a compromise and the probability of said compromise actually occurring.
Depending on your environment, that level of cost may be worth it, but I think that's true for a much smaller segment than a lot of people who argue the point. I suspect this is because my paycheck depends on keeping the business running smoothly, not selling security consulting services.