I”m going to be posting a series of group policy objects that are especially useful for environments that are pulling administrative rights for their users… or at least waging the political battle of doing so! The truth is that users who are administrators on their local systems are a huge security risk to any environment. I won’t get deep into why… you should already know this and maybe it’s even keeping you up at night! I feel that Murphy’s Law especially applies to users… not that they have negative intentions, but they will absolutely catch bad things and bring them back into the environment if they have the capability. It just happens.
I think most administrators like the idea of pulling administrative rights, but usually hit a snag. Users need to be able to install printers, install controls on websites, change OS settings, install iTunes, etc. Let’s be honest… there is and always will be an excuse!
One school of thought is to just grant power user rights instead of administrative rights to users. This solves a lot of the common issues of having limited rights, but unfortunately, it gives up a lot of the security benefits of having a truly limited user account. With power user rights, users can install some applications that don’t modify OS settings, run non-certified or legacy applications, modify user/groups on the local system, and even stop/start some Windows services that aren’t enforced. With a bit of hacking around, users can get a lot more access than intended. Check out this article on Mark Russinovich’s blog for more info about what power users can actually pull off!
I prefer to keep users at the lowest level of rights possible. I know, I know. This creates more work for the admins, right? I mean, you’re going to have to go around and install printers, applications, install plugins, etc now, right? The answer: no! These specific rights can be granted almost exclusively through group policy, even to standard powerless users. What’s required? You’ll need an AD functional level of 2008 or greater. All of these special controls were introduced with Windows Vista/2008 was released. Using group policy, we can allow these settings.
So what about those users that need to print at home? That’s a great excuse to be a local admin! This is an easy one to solve with a simple Group Policy. You can allow users to install drivers for certain classes of devices, including printers, USB drives, etc. A full list of device classes used in Windows is available here. The group policy that you need to change is:
Local Computer Policy – Computer Configuration – Administrative Templates – System – Driver Installation – Allow non-Administrators to install drivers for these device setup classes.
To specifically allow printer driver installation, use the printer ClassGuid, {4d36e979-e325-11ce-bfc1-08002be10318}.
Do your standard users need to install certain applications, even as non-admins? Package that software in SCCM, and make it available on a per-user basis using the SCCM 2012 App Catalog. Users can request approval to install software, or it can just be made available on a non-approval basis. This truly regulates what users can install on their machine- you are the gatekeeper! If they want a certain application, approve it, package it, and make it available through the app catalog’s web interface.
There are several other group policies that you can put in place to grant rights to allow non-admins to effectively and efficiently do their job… all without opening the major security hole of being a local admin. I’ll definitely be posting more in the future. If there’s anything you’d like to see, be sure to leave a comment!