Access Denied: Discouraging Administrators from Unnecessarily Using Their Privileges

We know that using administrator authority to access end-user applications risks increasing the damage should administrators inadvertently execute malicious software, such as malignant Microsoft Word macros or harmful client-side scripting in Web pages. So, each of our administrators has one account that provides standard user access and another account that belongs to the necessary administrator groups. Our policy requires administrators to use their unprivileged account to log on to their workstation and to run most applications. For tasks that require administrator access, administrators are supposed to use the Runas command. However, some administrators don't comply with this policy, instead logging on and using their administrator account for everything. Can we enforce our policy through Windows?

You can use file permissions to deny administrators access to programs such as Word, Microsoft Excel, and Microsoft Internet Explorer (IE). Administrators can regain access to the programs, but using file permissions can at least make doing so inconvenient for uncooperative administrators and prevent accidental use of the programs by administrators who simply forget to use their unprivileged account. To automate the process of applying those permissions and frustrate administrators' attempts to remove them, use Group Policy.

Create a new Group Policy Object (GPO) linked to an organizational unit (OU) that will apply the GPO to all administrators' workstations. Edit the GPO and navigate to Computer Configuration\Windows Settings\Security Settings\File System. Create a policy for each executable you want to block administrators from running. Give typical end users Read and Execute permissions, but deny Full Control to administrators, as Web Figure 2 (, InstantDoc ID 41575) shows.

Whenever users log on, Windows refreshes these permissions on application files just in case an uncooperative administrator tampered with the permissions. You can increase the frequency with which Windows refreshes these permissions by modifying a few Group Policy settings. In the GPO, navigate to Computer Configuration\Administrative Templates\System\Group Policy, as Figure 2 shows. Disable Turn off background refresh of Group Policy so that Windows can apply Group Policy periodically even while users are logged on.

Then, double-click the Group Policy refresh interval for computers setting to control how frequently Windows refreshes policies. This setting requires two values, both in minutes. First, you define the refresh interval, then you define the maximum value of a random offset that Windows computes each time it refreshes Group Policy. Windows adds the random offset to the refresh interval to prevent all computers from simultaneously requesting refreshes. The default for these values is a refresh interval of 90 minutes and a maximum offset of 30 minutes, which means that Group Policy will be refreshed every 1.5 to 2 hours.

One more setting you should enable is Security policy processing. Clear the Do not apply during periodic background processing check box and select the Process even if the Group Policy objects have not changed check box, as Web Figure 3 shows. These two settings are essential for guaranteeing that permissions are refreshed regularly even when users are logged on or when your GPO hasn't been modified since it was last applied.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.