I nave a vendor who want us to grant administrator rights to the c:\windows folder on each of our workstations. I do not want to do this but I do not have a good reason to tell them so. If anyone has a explination as to why or if there is a Microsoft link to point me to to explain why
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Windows folder administrator rights
- Thread starter badcode
- Start date
Easy answer..."No".
If they ask why or throw a fit tell them it is due to security policies that you have in place. Then have them thoroughly explain why they feel that this level of access is necessary.
No matter what happens, whether it be an employee or vendor, remember the systems belong to the company. You and the rest of the "Technology" staff are in charge of safe guarding the systems and data integrity. This means that you have the right, and responsibility, to step up and say "No" where you feel it is not in the best interest of your security.
This gives you the right to tell Vendors, and to a much lesser degree, staff that something isn't allowed because you say so. They may not like it, they may scream but (for vendors this holds to be completely true) you hold the final say (not always the case with staff but you can try)
If they ask why or throw a fit tell them it is due to security policies that you have in place. Then have them thoroughly explain why they feel that this level of access is necessary.
No matter what happens, whether it be an employee or vendor, remember the systems belong to the company. You and the rest of the "Technology" staff are in charge of safe guarding the systems and data integrity. This means that you have the right, and responsibility, to step up and say "No" where you feel it is not in the best interest of your security.
This gives you the right to tell Vendors, and to a much lesser degree, staff that something isn't allowed because you say so. They may not like it, they may scream but (for vendors this holds to be completely true) you hold the final say (not always the case with staff but you can try)
I am sympathetic to all of member aquias's explanation of putting one's foot down on vendors.
But I am a little curious. If your users have Administrator class logons, it is trivial for them to have full access to %windir% and any subfolder.
I do not see why formalizing this creates a security breach that is not already there.
Or, am I missing something here?
But I am a little curious. If your users have Administrator class logons, it is trivial for them to have full access to %windir% and any subfolder.
I do not see why formalizing this creates a security breach that is not already there.
Or, am I missing something here?
Well the fact that they are asking for administrator rights would lead me to believe that most users do not have administrator rights on the PCs...
I think aquias is right, if some of your own employees are not able to be granted administrator rights, why should someone from outside of your company have them? That is a huge security issue.
However, the bigger question is, why do they need administrator rights? That would be the bigger thought in my mind.
Computer/Network Technician
CCNA
I think aquias is right, if some of your own employees are not able to be granted administrator rights, why should someone from outside of your company have them? That is a huge security issue.
However, the bigger question is, why do they need administrator rights? That would be the bigger thought in my mind.
Computer/Network Technician
CCNA
Sorry, I read the post differently, and still do.
If you use NTFS permissions to give full control to the local Administrator Group on %windir%, it does nothing to help a limited user logon.
So, the next leap -- they are not logging on as limited users.
It is possible that what they need to install is device drivers, and/or a service. You can use secpol.msc to add the local Administrators, or Users, or Power Users or whatever Group you may like to have these ACE priviliges without requiring access to the %windir%. (albeit you may need to grant similar level permissions on key registry values).
I guess my feeling is:
. if you are not using limited users, there is no security issue for you. You are well past worrying about security.
. as member aquias stated, you have every right to ask exactly what folders, drives, registry entries, services and device drivers this application intends to install. What permission levels are required, and why. And whether vendor support requires any special permissions or remote access.
Best regards to all,
Bill Castner
If you use NTFS permissions to give full control to the local Administrator Group on %windir%, it does nothing to help a limited user logon.
So, the next leap -- they are not logging on as limited users.
It is possible that what they need to install is device drivers, and/or a service. You can use secpol.msc to add the local Administrators, or Users, or Power Users or whatever Group you may like to have these ACE priviliges without requiring access to the %windir%. (albeit you may need to grant similar level permissions on key registry values).
I guess my feeling is:
. if you are not using limited users, there is no security issue for you. You are well past worrying about security.
. as member aquias stated, you have every right to ask exactly what folders, drives, registry entries, services and device drivers this application intends to install. What permission levels are required, and why. And whether vendor support requires any special permissions or remote access.
Best regards to all,
Bill Castner
- Thread starter
- #7
Currently each user has limited access to their local drive and to network resources. The vendor is requesting that full rights be provided to the users to the %windir% folder. For what I dont know other than they claim that their application will not run correctly. I wish to tell them "No!" but I need more than "It's a security Issue"
It would seem to me "It's a security issue" would be sufficient.
There should be a middle ground. Perhaps there is only one folder they need to create. As Admin, create the folder, and grant the permissions and extend to child objects only that folder.
There should be a middle ground. Perhaps there is only one folder they need to create. As Admin, create the folder, and grant the permissions and extend to child objects only that folder.
- Status
Similar threads
- Locked
- Question