Derek Melber, (MSCE, MVP) is only 1 of 8 MVPs on Group Policy in the world. Derek published an article on windowsecurity.com titled, “Desktops: Local Rights & Privileges” and is also the author of The Group Policy Resource Kit by Microsoft Press. Derek addresses the many droves of questions he receives about end user desktops with topics specifically related to user rights, permissions, local group, and least privileges.
“For corporate environments, the overall goal is to allow users to run all applications, install key software and drivers, and run operating system features that make the company money, but to do this with the least privilege possible,” said Derek Melber. Ideally, this would accomplish the overall desktop security. If user rights, permissions, and local group settings are done correctly using Group Policy, then a corporate entity is on the right track to achieving overall desktop security and moving to a least privilege environment, where the user does not have local administrative privileges, except for those tasks required.
According to Derek, Windows Vista and 7 come with User Account Control (UAC) which has “standard sets options for you can either grant access to business applications requiring administrative privileges by adding the user to the local Administrators group, or you can modify all of the permissions and user rights associated with the files, folders, and desktop so the user can ONLY elevate the specified application. With potentially hundreds of applications for a corporation, this is not a very efficient option.” Derek suggests using a solution that can extend Group Policy.
A third party software such as Viewfinity’s Privilege Management solution can help achieve the overall desktop security goal through extending a corporate entity’s existing Group Policy infrastructure. Viewfinity allows companies to use what they already have in Active Directory and Group Policy, and manage privileges for users at a granular level to gain further control over ensuring users are granted the least privileges possible. Viewfinity has many companies who are currently using our privilege management software as an extension to Group Policy.