(For more resources on Microsoft products, see here.)
One of the primary concerns for system administrators when implementing Least Privilege Security on notebook computers is how to solve problems that require administrative access if a remote connection cannot be established. Consider a scenario where a user arrives at a conference center but can’t connect their notebook to the local network because there isn’t a DHCP server available. The only way to make a successful connection is to manually configure an IP address.
While we could add users to the Network Configuration Operators group on each notebook so that they can configure local network settings, the requirement to manually configure network options is rare and granting this access is likely to create more support problems than it solves. If you’ve ever worked on a help desk, you’ll know that a high percentage of calls from mobile workers are related to network connection problems, often caused by a misconfiguration.
Windows doesn’t have any built-in mechanism that allows system administrators to temporarily grant administrative privileges, leaving IT nervous to commit to Least Privilege on notebook computers. In this section, we’ll look at a couple of simple techniques that can be used to grant temporary administrative access to mobile users when all else fails. Neither method is perfect, and could potentially be hijacked by savvy users to install unsanctioned software or grant themselves permanent administrative access, but there must be a back door for system administrators to ensure confidence in the ability to provide support in any situation.
The instructions that follow use local user accounts and local policy settings, but are intended for use in a domain environment. If you wish to manage the accounts and policy settings centrally, domain users and domain-based Group Policy Objects can be used as an alternative. The following techniques shouldn’t be used in high security environments.
For each notebook in our organization, we need to create a set of accounts that have administrative access. Let’s create three accounts on each notebook—Support1, Support2, and Support 3.
You can do this easily from the command prompt or by adding the appropriate commands to a batch file. Log on to the notebook as an administrator and run the following two commands from the command prompt:
net user Support1 ******** /expires:never /passwordchg:no /ADD
net localgroup Administrators Support1 /ADD
Replace ******** with a random password for each account. The passwords for each support account must be recorded somewhere for future reference. The password for each account should be completely random and differ on every notebook.
To ensure that the support account is deleted at log off, we need to create a local policy setting for each support account.
These steps need to be repeated for each support account.
To test the configuration, log in to Windows using the Support1 account.
To repeat the support procedure, the password for Support2 must be known by the user.
The procedure outlined here can be used by help desk staff when a user requires a temporary administrative login for support:
I remember deciding to pursue my first IT certification, the CompTIA A+. I had signed…
Key takeaways The transformer architecture has proved to be revolutionary in outperforming the classical RNN…
Once we learn how to deploy an Ubuntu server, how to manage users, and how…
Key-takeaways: Clean code isn’t just a nice thing to have or a luxury in software projects; it's a necessity. If we…
While developing a web application, or setting dynamic pages and meta tags we need to deal with…
Software architecture is one of the most discussed topics in the software industry today, and…