[funsec] Administrator Accounts
mattmurphy at kc.rr.com
Wed Feb 22 13:45:38 CST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Larry Seltzer wrote:
> I would assume that all, or nearly all enterprise Windows users are logging
> into a domain. This means that their rights are controlled through domain
> administration, and making the average user an administrator would be an
> insane thing to do.
> It also appears to me that UAC is a matter for local accounts, not domain
> accounts. So Vista, being a client OS, really can't address the problem.
Many users do log in over a domain. However, these "Domain Users" are
also members of the "Local Administrators" group. Vista removes this
power from applications that don't really need it.
Take, for example, the take-home notebooks of a certain Fortune 100.
Users of said notebooks currently log in as domain users using cached
credentials to authenticate. These users are also members of local
administrators group, meaning that they wield incredible destructive
power over their own take-home PCs but not much on the domain.
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."
-- Michael Holstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3436 bytes
Desc: S/MIME Cryptographic Signature
Url : http://linuxbox.org/pipermail/funsec/attachments/20060222/855cca1e/smime-0001.bin
More information about the funsec