How much access would you grant users when setting up a new laptop

Posted by lookashinyobject@reddit | sysadmin | View on Reddit | 14 comments

I'm curious, as while I work in a IT tech support role I'm not sysadmin. My role is providing support for our software and its links to other software. I got my new work laptop recently with win11 to replace my windows 10 laptop that was dying. Our sysadmin did their basic stuff linked it to the domain and installed the bare minimum of software, instead giving me 24h of admin control over it to set it up how I wanted. The part that surprised me was them saying yes to me making some registry changes after running them past them first (e.g. fixing the right click menu). While they would never give that access to most of our other departments, and baby them doing the full set-up for them. I am just really curious how common letting the tech related departments set-up their own computers is

[-]

FfityShadesOfDone@reddit

Worked in a few IT roles for a fortune 500 company you've almost certainly heard of (\~60k users)

Helpdesk and hardware support both got full local admin on their machines. Thought process was that they A) already had a domain wide desktop admin account so they could accomplish whatever they wanted anyway, and B) would need to regularly install / change / modify software to try and simulate what a 'regular' user was seeing.
Image engineers (sysadmins) had local admin to their regular machine for testing, again under the assumption they'd be uninstalling / installing software daily to test deployment scripts. Their domain admin accounts were locked behind PAM solutions with MFA and expiry of 4ish hours due to the nature of their access.
Network, firewall and server admins did not get local admin access anywhere, security's reasoning is that their endpoint should remain as secure as possible due to their level of access and limited use of random 'one-off' tools.
Regular users* in the org don't get any kind of admin access, ServiceNow request for software installs which are pushed automatically through SCCM based on AD groups after manager approval, if they have some issue that needs an uninstall / reinstall the thought is that they should be calling the HD who can either resolve or escalate to hardware support.
*There's a very small group of non-IT users that get local admin - these are handled case by case and reviewed by platform security, I believe some of our CAD software requires local admin on each run so some of the facilities folks have it. It's handled on a 12-month exemption process and requires a re-review annually.

[-]

rheureddit@reddit

"we're a large org that gives our users with domain admin access, local admin access also because we don't understand how to use groups in active directory and local user manager to create secondary admin accounts that can be shutdown in the event of a breach" is all I read here.

[-]

FfityShadesOfDone@reddit

If you're referring to our HD and desktop support roles you may want to re-read that - they have a domain wide desktop admin account, not domain admin. IE a second, 'admin' account that is a member of the administrators group org wide. They also have their regular logon accounts in the administrators group of their workstation specifically to make troubleshooting / testing slightly easier. None of our HD or desktop support folks have any kind of domain admin access except for renaming PCs and password resets.

If you're looking at our sysadmins they do receive local admin on their endpoints (both prod and lab) but they do not interact with domain admin functions from those workstations. Admin tasks are performed with a domain admin account inside a PAM solution with rotating passwords every few hours, conditional access policies limiting the OU of computer / server they can access the account from.

Again, we're a fortune 500 retail conglomerate with a subsidiary financial institution and annually audited for PCI DSS and PII compliance. There's no smoking gun you're going to find in 30 seconds via a reddit post that teams of auditors from various insurance firms, government bodies and third party compliance standards committees haven't stumbled across in their quarterly / annual reviews.

[-]

jaydizzleforshizzle@reddit

This is literally it, smb will be chaos always, but moving to a global company of 100k+, this is the exact schema to a tee.

[-]

Outrageous-Guess1350@reddit

None. Stick to the supported software and changes needed for his position. If he needs personal stuff on his laptop, he can install it on his personal laptop. Granting admin access so he can do as he pleases is a security risk.

If he deviates, you will be the one fixing it.

[-]

DeifniteProfessional@reddit

That sounds like sheer laziness. "Here's 24 hours of [domain] admin access so you don't need to call us back".

It varies from org to org. But the standard for security should be an end user never has administrative access

[-]

tarkinlarson@reddit

Normal users? No Admin access at all during the standard build. Nearly everything is automated.

[-]

rheureddit@reddit

Shared kiosk PCs which utilize a single login configured to never timeout, lock is disabled, and auto sign in have bare minimum access. These PCs can't even utilize the Microsoft Outlook app. Emails are checked via browser to force 2FA.

Normal end users get no permissions, they request which software they'll need on the new PC, they can keep their old laptop for 1 week in the event of an upgrade/replacement to ensure they have everything.

PLC techs are given a separate account assigned to the individual that can be used for UAC prompts. The account is made in ADUC, It's added to administrator in local users and groups.

Engineers utilizing AutoCAD use PRA and their supervisor and our on call distribution list are able to approve the necessary prompts.

Remote users call the HD for any elevations

All infrastructure and support teams have a client admin account for approving UAC prompts, installing software, and configuring PCs for initial domain setups/user GPOs.

They also have a systems admin account with a daily rotating password that is used for accessing administrative systems such as Microsoft, Okta, Claroty, etc. depending on what their job scope is and what their escalation responsibility includes.

Management, including IT, does not have any of this outside of the manager responsible for any specific administrative system requiring a systems admin account.

[-]

Visible_Witness_884@reddit

We have Admin By Request. Users can get local admin priviliges if they desire and just fill out a comment.

[-]

Old_Acanthaceae5198@reddit

It's fine and common for a small company without a lot of IP or PII. But as you grow and you, at a minimum, need insurance it's going to be a requirement to lock that down.

[-]

InfoAphotic@reddit

All our users use Citrix, so their containers are extremely limited. Our IT operations team all have local admin. Devices we give to staff are all restricted via Intune through policy

[-]

user_is_always_wrong@reddit

Everytime I setup computer for someone from IT I install the bare minimum like antivirus and patch client.
Admins have their admin account so they can install the required software themself.

[-]

Oh_for_fuck_sakes@reddit

We give only IT, and Security the ability to modify their endpoints which is done by separate accounts with separate duties. If they require modification of anything they can do so, in their unprivileged environment using their privileged account. Anyone else gets a standard account with no privileges. If they require change, they submit it to us, and we make the change. If they require apps, we package it and deploy it.

We have a standardized environment that needs to be maintained to our SOE. If we allow people to modify it, according to personal (Not business!) needs then it becomes unmaintainable and requires too much overhead for us to maintain and support.

Additionally we have found that other "Tech related" departments know enough to break, not enough fix.

[-]

CuteSharksForAll@reddit

Well for heavy tech related departments, like the data analysts that have all the crazy data tools they load we try to put them all in Company Portal. For the more power users, we use Endpoint Privilege Management where they can provide justification to run something as Administrator. Of course, those escalations are logged, so they are under the understanding that if they load something inappropriate their computer will be reset and they will lose those privileges.

But as a matter of practice, no, we would never give local Administrator access even to a tech savvy power user who doesn’t work for the IT department. There has been an odd couple of exceptions because of some poorly coded software where a few users need to run as Administrator, but they have a separate login for that and don’t use that computer for email/daily driver.