Is it normal to give ‘users’ administrator access to their company PC

permissions

I have a user who wants to be a administrator of his work PC, he's made some story up about how he can't work without it so I'm told to "fix it" (as if it is a fault he's logged on as a user!).

My IT co-workers and I don't login as administrators due to viruses/malware getting a foot hold and setting themselves up as servers to distribute an attack (yes this happened in the past).

What is the 'norm' for your network users and how do you handle requests for administrator access?

Thanks

Best Answer

We currently have three levels of support for the users:

Full support. The users only have basic access and a standard set of applications
Limited support. We do central patching of the OS and supply applications. The user has root access.
No support. We supply the user with an internet connection. The user takes responsibility for the computer, including software and patching. We monitor the network for issues, and cut off the user if there is a problem.

This way the users can choose what they want and we minimize the impact, both for IT staff and for users. We have found that the users can be trusted to choose an appropriate level of support. I have a feeling that locking down users by default is very costly in the term of productivity.

Related Solutions

Ssh – CopSSH SFTP — limit users access to their home directory only

create group 'SSH Users' in computer management
Add group to gpedit -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Allow log on locally (see Can't login to Cygwin sshd server with a non-administrator user account)
run gpupdate
Add ftpuser to group SSH Users
Append details in /etc/sshd_config:
```
Subsystem sftp internal-sftp

Match User ftpuser
    ChrootDirectory /home/ftpuser
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp
```
(the keywords on the lines following the Match directive apply only to the user ftpuserand override those set in the global section of the config file, until either another Match line or the end of the file.)
Activate ftpuser user through copSSH wizard
Delete all .ssh .bashprofile files/folders under ftpuser folder
Set SvcCOPSSH user to root id 0
```
SvcCOPSSH:unused_by_nt/2000/xp:**0**:545:U...
```
(see http://www.itefix.no/i2/node/11956)
Might need to do the following as well in copSSH 'UNIX BASH Shell'
```
cd /
chown SvcCOPSSH /
chmod 0755 /
```
restart openssh service

Linux – How to give write permissions to multiple users

You can change the group of the files:

groupadd webusers
usermod -aG webusers the_user_name
chgrp -R webusers the_directory
chmod g+s the_directory

If this is a RedHat based distribution you can use setfacl to do this without a group and set it to happen by default:

setfacl -R -m user:the_username:rwx directory_name
setfacl -d -R -m user:the_username:rwx directory_name

Best Answer

Related Solutions

Ssh – CopSSH SFTP — limit users access to their home directory only

Linux – How to give write permissions to multiple users

Related Topic