[funsec] Administrator Accounts

Matthew Murphy mattmurphy at kc.rr.com
Wed Feb 22 13:45:38 CST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Larry Seltzer wrote:
[...]
> I would assume that all, or nearly all enterprise Windows users are logging
> into a domain. This means that their rights are controlled through domain
> administration, and making the average user an administrator would be an
> insane thing to do. 
> 
> It also appears to me that UAC is a matter for local accounts, not domain
> accounts. So Vista, being a client OS, really can't address the problem.

Many users do log in over a domain.  However, these "Domain Users" are
also members of the "Local Administrators" group.  Vista removes this
power from applications that don't really need it.

Take, for example, the take-home notebooks of a certain Fortune 100.
Users of said notebooks currently log in as domain users using cached
credentials to authenticate.  These users are also members of local
administrators group, meaning that they wield incredible destructive
power over their own take-home PCs but not much on the domain.

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

                                -- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38

iD8DBQFD/L9ifp4vUrVETTgRA9YOAKDNIzVETGCrNS+PzMau5kupdT1IcwCglPLT
SkShljTUazZszaRFBT8sesM=
=c8lw
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3436 bytes
Desc: S/MIME Cryptographic Signature
Url : http://linuxbox.org/pipermail/funsec/attachments/20060222/855cca1e/smime-0001.bin


More information about the funsec mailing list