If you can't avoid staying away from those programs, what would be the work-around, if any? You're right about SUS using GPO at the computer settings on a scheduled installation, but if you wanted to allow users to be automatically notified or manually download notified updates the users must belong to the Local Admin. -----Original Message----- From: Joe Pochedley [mailto:JoePochedley@xxxxxxxxx] Sent: Friday, June 06, 2003 8:43 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: OT: SUS, Interwise and other applications that require users to belong to the Local Administrator Group http://www.ISAserver.org David, I would definitely agree that programs that require the user to be Local Admin on a machine to run are poorly designed programs. Therefore, if you are running a network and need to lock down the workstations, you should stay away from these programs... SUS can be set to run and install updates, through GPOs, without the locally logged on user having Admin provides Joe Pochedley If you have time to do it twice, you had time to do it right in the first place. -----Original Message----- From: David V. Dellanno [mailto:ddellanno@xxxxxxxxxx] Sent: Friday, June 06, 2003 7:08 AM To: [ISAserver.org Discussion List] Subject: [isalist] OT: SUS, Interwise and other applications that require users to belong to the Local Administrator Group http://www.ISAserver.org Hi everyone, Sorry for the repeated question but was wondering if anyone has any suggestion to this issue? Yesterday I had joined Windows Server 2003 Security Guide Microsoft webcast and ask about applications such as, Microsoft application (SUS), the software for the webcast (Interwise), and other third party software (Ad-aware) that require users to belong to the Local Administrator Group to obtain full functionality. The mediator explanation was to due to developing of the software and that third-party software companies do not implement security design for their application, but didn't have a work-around for this scenario. This is interesting, isn't it the idea to lock down as much surface space for hackers to attack, but when a software for user requires local admin full control, wouldn't this be a red-flag to raise as a security hole on the network or system? Doesn't this increase the risk if the user were to receive a virus or worm? Then what good are the default Local groups (Power-Users and Users) for at the local system level? Does this go without saying in a development environment as well, since most of their environment needs full access and limited security restrictions to their local system? Does this defeat the purpose of securing the end-users environment? Any suggestions are greatly appreciated Regards, David V. Dellanno - MCSE, MCP+I, MCP MSDEMO Consultants Williams Place 2564 Bridgewood Lane Snellville, Georgia 30078 USA (770) 736-8794 (Office) msdemo.net Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: JoePochedley@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: ddellanno@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.