Windows Security Best Practices
What you and your company should know about account rights!
Administrative Groups and Accounts are for Administrative purposes, such as installing software, making system wide changes, upgrades, and other maintenance tasks that require higher privileges. Users should not have rights higher than they need to accomplish their jobs. Anti-Virus vendors won't tell you that you could cut your infection rate up to and even beyond 95%, but you can! This will also cut down on SpyWare/Malware infections and Total Cost of Ownership.
Microsoft knows this to be true also. A useful idea/tool is the Drop-My-Rights shortcut maker. This is also a good article to read.
User Groups and User Rights
Giving (most)Users Administrator rights is a death sentence
Improper User rights are one of the biggest security holes in 98% of all the LAN’s we've been called in to audit. From talking to family and friends in the IT field we can also see the same results. Users are allowed to be Administrators of their machines when they should not be. Microsoft's default behaviour is to add the user that set the PC up into the admin's group automatically without question. This should not be so, but it is. The administrator account and group are there for administration purposes only, not for day to day activities.
A virus or any other program for that matter, runs in the context of the user that launched that program, so if your users are logged in as Admin's of their machines, that means a virus or any other program also run's with those privileges.
The IloveYou virus(aka LoveBug, or LoveLetter etc...) came out in 2000, it was one of the most devastating viri that had circulated in years (well back then). Users and Corporations that followed best practices were hit much less than those that failed to. More recently MyDoom, and Sobig are also viri that are mitigated if users are placed in the group labelled "Users" or "Guests" groups. Again, Administrative accounts and Groups are for Administration only not for day to day activities
Viri and Spy-ware aren't the only threats to your user and PC's
Yes, long before viri were so efficient, there were users, and users still are a danger to themselves and others, especially if they have even a rudimentary knowledge of computers. If your PC's have the same local Administrator password, with your users being Admin's, the local admin password is as good as theirs already. There are plenty of tools out today that allow you to dump the SAM database of the local machine and get any stored or cached accounts on the PC. Worse yet, if your users belong to a domain group, and that domain group is already added to the admin's group, then each user in the domain group is effectively an administrator of ALL machines that include their group in the admin's group. Users could dump other user's SAM databases, or connect to their PC's using the management console or via regedit and do basically anything they want!!
If a user has Admin privileges, they can install key-logging software, and Fake Gina's to grab the Domain Admin's Password! There are clever users out-there... by installing a Fake-Gina or key-logger, all one has to do is get an admin to type their password on the keyboard. It's easy to get an admin to logon your machine and see if he/she can tell what's wrong with it... when in fact there is nothing wrong with the PC, you just got one of the admin’s to give you the password they use, because you captured it using a key logger. The pass is plain-text no need to crack, so now the user that "ONLY" had local admin right's likely has Domain Admin rights now! Good Job!
In addition to key loggers there are many unapproved programs that IT Admin’s would not like to be in their users PC's such as P2P programs like Napster, Kazaa or the hundreds of their ilk. Many corporations have a standard PC build image they'd like to maintain, and giving users Admin rights is a great way to foul that up.