Not only should servers be hardened to protect against outside intruders, but clients need the same attention. Clients also need to have services, ports, applications, groups, and so on locked down to reduce security risks as much as possible. This reduction in security risk should not compromise functionality in most cases. If the security on a client is too tight, users might not be able to use applications and network communications as needed.
To show a wide range of client configuration best practices, we will look at four common environments. The best practices focus on creating and maintaining a secure environment for desktops and laptops running Windows XP Professional. We will break down clients into two more categories: enterprise and high security:
Enterprise. The enterprise environment consists of a Windows 2000 or Windows Server 2003 Active Directory domain. The clients in this environment will be managed using Group Policy that is applied to containers, sites, domains, and OUs. Group Policy provides a centralized method of managing security policy across the environment.
High security. The high-security environment has elevated security settings for the client. When high-security settings are applied, user functionality is limited to functions that are required for the necessary tasks. Access is limited to approved applications, services, and infrastructure environments.
It would be impossible to cover every possible scenario or environment. However, we will suggest security settings that have been reviewed, tested, and approved by Microsoft engineers, consultants, and customers in a production environment. Table 5-14 lists settings that are available within a standard security template and the best-practice configurations for the following four scenarios:
Enterprise desktop computers
Enterprise laptop computers
High-security desktop computers
High-security laptop computers
Table 5-14. Best Practice Security Settings for the Four Types of Clients
Enterprise Desktop | Enterprise Laptop | High Security Desktop | High Security Laptop | |
|---|---|---|---|---|
Auditing | ||||
Account Logon Events | Success Failure | Success Failure | Success Failure | Success Failure |
Account Management | Success Failure | Success Failure | Success Failure | Success Failure |
Directory Service Access | No Auditing | No Auditing | No Auditing | No Auditing |
Logon Events | Success Failure | Success Failure | Success Failure | Success Failure |
Object Access | Success Failure | Success Failure | Success Failure | Success Failure |
Policy Change | Success | Success | Success | Success |
Privilege Use | Failure | Failure | Failure | Failure |
Process Tracking | No Auditing | No Auditing | No Auditing | No Auditing |
System Events | Success | Success | Success Failure | Success Failure |
User Rights | ||||
Access this computer from the network | Administrators, Backup Operators, Power Users, Users | Administrators, Backup Operators, Power Users, Users | Administrators, Users | Administrators, Users |
Act as part of the operating system | No one | No one | No one | No one |
Adjust memory quotas for a process | Not Defined (Use defaults) | Not Defined (Use defaults) | Administrators, Local Service, Network Service | Administrators, Local Service, Network Service |
Allow log on locally | Users, Administrators | Users, Administrators | Users, Administrators | Users, Administrators |
Allow log on through Terminal Services | Administrators, Remote Desktop Users | Administrators, Remote Desktop Users | No one | No one |
Backup files and directories | Not Defined (Use defaults) | Not Defined (Use defaults) | Administrators | Administrators |
Change the system time | Not Defined (Use defaults) | Not Defined (Use defaults) | Administrators | Administrators |
Create a pagefile | Not Defined (Use defaults) | Not Defined (Use defaults) | Administrators | Administrators |
Create a permanent shared object | Not Defined (Use defaults) | Not Defined (Use defaults) | No one | No one |
Create a token object | Not Defined (Use defaults) | Not Defined (Use defaults) | No one | No one |
Debug programs | Administrators | Administrators | Administrators | Administrators |
Deny access to this computer from the network | Not Defined (Use defaults) | Not Defined (Use defaults) | Everyone | Everyone |
Deny log on through Terminal Services | Not Defined (Use defaults) | Not Defined (Use defaults) | Everyone | Everyone |
Enable computer and user accounts to be trusted for delegation | No one | No one | No one | No one |
Force shutdown from a remote system | Not Defined (Use defaults) | Not Defined (Use defaults) | Administrators | Administrators |
Generate security audits | Not Defined (Use defaults) | Not Defined (Use defaults) | NETWORK SERVICE, LOCAL SERVICE | NETWORK SERVICE, LOCAL SERVICE |
Increase scheduling priority | Not Defined (Use defaults) | Not Defined (Use defaults) | Administrators | Administrators |
Load and unload device drivers | Not Defined (Use defaults) | Not Defined (Use defaults) | Administrators | Administrators |
Log on as a batch job | Not Defined (Use defaults) | Not Defined (Use defaults) | No one | No one |
Log on as a service | Not Defined (Use defaults) | Not Defined (Use defaults) | No one | No one |
Manage auditing and security log | Not Defined (Use defaults) | Not Defined (Use defaults) | Administrators | Administrators |
Modify firmware environment values | Not Defined (Use defaults) | Not Defined (Use defaults) | Administrators | Administrators |
Perform volume maintenance tasks | Not Defined (Use defaults) | Not Defined (Use defaults) | Administrators | Administrators |
Profile single process | Not Defined (Use defaults) | Not Defined (Use defaults) | Administrators | Administrators |
Profile system performance | Not Defined (Use defaults) | Not Defined (Use defaults) | Administrators | Administrators |
Replace a process level token | LOCAL SERVICE, NETWORK SERVICE | LOCAL SERVICE, NETWORK SERVICE | LOCAL SERVICE, NETWORK SERVICE | LOCAL SERVICE, NETWORK SERVICE |
Restore files and directories | Not Defined (Use defaults) | Not Defined (Use defaults) | Administrators | Administrators, Users |
Shut down the system | Not Defined (Use defaults) | Not Defined (Use defaults) | Administrators, Users | Administrators, Users |
Take ownership of files or other objects | Not Defined (Use defaults) | Not Defined (Use defaults) | Administrators | Administrators |
Security Options | ||||
Accounts: Guest account status | Disabled | Disabled | Disabled | Disabled |
Accounts: Limit local account use of blank passwords to console logon | Enabled | Enabled | Enabled | Enabled |
Accounts: Rename administrator account | Recommended | Recommended | Recommended | Recommended |
Accounts: Rename guest account | Recommended | Recommended | Recommended | Recommended |
Devices: Allow undock without having to log on | Disabled | Disabled | Disabled | Disabled |
Devices: Allowed to format and eject removable media | Administrators, Interactive Users | Administrators, Interactive Users | Administrators | Administrators |
Devices: Prevent users from installing printer drivers | Enabled | Disabled | Enabled | Disabled |
Devices: Restrict CD-ROM access to locally logged—on user only | Disabled | Disabled | Disabled | Disabled |
Devices: Restrict floppy access to locally logged—on user only | Disabled | Disabled | Disabled | Disabled |
Devices: Unsigned driver installation behavior | Warn but allow installation | Warn but allow installation | Do not allow installation | Do not allow installation |
Domain member: Digitally encrypt or sign secure channel data (always) | Not Defined (Use defaults) | Not Defined (Use defaults) | Enabled | Enabled |
Domain member: Digitally encrypt secure channel data (when possible) | Enabled | Enabled | Enabled | Enabled |
Domain member: Digitally sign secure channel data (when possible) | Enabled | Enabled | Enabled | Enabled |
Domain member: Disable machine account password changes | Disabled | Disabled | Disabled | Disabled |
Domain member: Maximum machine account password age | 30 days | 30 days | 30 days | 30 days |
Domain member: Require strong (Windows 2000 or later) session key | Enabled | Enabled | Enabled | Enabled |
Interactive logon: Do not display last user name | Enabled | Enabled | Enabled | Enabled |
Interactive logon: Do not require CTRL+ALT+DEL | Disabled | Disabled | Disabled | Disabled |
Interactive logon: Message text for users attempting to log on | This system is restricted to authorized users. Individuals attempting unauthorized access will be prosecuted. If unauthorized, terminate access now! Clicking on OK indicates your acceptance of the information in the background. | This system is restricted to authorized users. Individuals attempting unauthorized access will be prosecuted. If unauthorized, terminate access now! Clicking on OK indicates your acceptance of the information in the background. | This system is restricted to authorized users. Individuals attempting unauthorized access will be prosecuted. If unauthorized, terminate access now! Clicking on OK indicates your acceptance of the information in the background. | This system is restricted to authorized users. Individuals attempting unauthorized access will be prosecuted. If unauthorized, terminate access now! Clicking on OK indicates your acceptance of the information in the background. |
Interactive logon: Message title for users attempting to log on | IT IS AN OFFENSE TO CONTINUE WITHOUT PROPER AUTHORIZATION | IT IS AN OFFENSE TO CONTINUE WITHOUT PROPER AUTHORIZATION | IT IS AN OFFENSE TO CONTINUE WITHOUT PROPER AUTHORIZATION | IT IS AN OFFENSE TO CONTINUE WITHOUT PROPER AUTHORIZATION |
Interactive logon: Number of previous logons to cache (in case domain controller is not available) | 2 | 2 | 0 | 1 |
Interactive logon: Prompt user to change password before expiration | 14 days | 14 days | 14 days | 14 days |
Interactive logon: Require Domain Controller authentication to unlock workstation | Disabled | Disabled | Enabled | Disabled |
Interactive logon: Smart card removal behavior | Lock Workstation | Lock Workstation | Lock Workstation | Lock Workstation |
Microsoft network client: Digitally sign communications (always) | Not Defined (Use defaults) | Not Defined (Use defaults) | Enabled | Enabled |
Microsoft network client: Digitally sign communications (if server agrees) | Enabled | Enabled | Enabled | Enabled |
Microsoft network client: Send unencrypted password to third—party SMB servers | Disabled | Disabled | Disabled | Disabled |
Microsoft network server: Amount of idle time required before suspending session | 15 minutes | 15 minutes | 15 minutes | 15 minutes |
Microsoft network server: Digitally sign communications (always) | Enabled | Enabled | Enabled | Enabled |
Microsoft network server: Digitally sign communications (if client agrees) | Enabled | Enabled | Enabled | Enabled |
Network access: Allow anonymous SID/Name translation | Disabled | Disabled | Disabled | Disabled |
Network access: Do not allow anonymous enumeration of SAM accounts | Enabled | Enabled | Enabled | Enabled |
Network access: Do not allow anonymous enumeration of SAM accounts and shares | Enabled | Enabled | Enabled | Enabled |
Network access: Do not allow storage of credentials or .NET Passports for network authentication | Enabled | Enabled | Enabled | Enabled |
Network access: Let Everyone permissions apply to anonymous users | Disabled | Disabled | Disabled | Disabled |
Network access: Shares that can be accessed anonymously | comcfg, dfs$ | comcfg, dfs$ | comcfg, dfs$ | comcfg, dfs$ |
Network access: Sharing and security model for local accounts | Classic–local users authenticate as themselves | Classic–local users authenticate as themselves | Classic–local users authenticate as themselves | Classic–local users authenticate as themselves |
Network security: Do not store LAN Manager hash value on next password change | Enabled | Enabled | Enabled | Enabled |
Network security: LAN Manager authentication level | Send NTLMv2 responses only | Send NTLMv2 responses only | Send NTLMv2 response only/refuse LM and NTLM | Send NTLMv2 response only/refuse LM and NTLM |
Network security: LDAP client signing requirements | Not defined | Not defined | Require signing | Require signing |
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients | Require message confidentiality, Require message integrity, Require NTLMv2 session security, Require 128-bit encryption | Require message confidentiality, Require message integrity, Require NTLMv2 session security, Require 128-bit encryption | Require message confidentiality, Require message integrity, Require NTLMv2 session security, Require 128-bit encryption | Require message confidentiality, Require message integrity, Require NTLMv2 session security, Require 128-bit encryption |
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers | Require message confidentiality, Require message integrity, Require NTLMv2 session security, Require 128-bit encryption | Require message confidentiality, Require message integrity, Require NTLMv2 session security, Require 128-bit encryption | Require message confidentiality, Require message integrity, Require NTLMv2 session security, Require 128-bit encryption | Require message confidentiality, Require message integrity, Require NTLMv2 session security, Require 128-bit encryption |
Recovery console: Allow automatic administrative logon | Disabled | Disabled | Disabled | Disabled |
Recovery console: Allow floppy copy and access to all drives and all folders | Enabled | Enabled | Disabled | Disabled |
Shutdown: Allow system to be shut down without having to log on | Disabled | Disabled | Disabled | Disabled |
Shutdown: Clear virtual memory page file | Disabled | Disabled | Enabled | Enabled |
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing | Disabled | Disabled | Disabled | Disabled |
System objects: Default owner for objects created by members of the Administrators group | Object creator | Object creator | Object creator | Object creator |
System objects: Require case insensitivity for non-Windows subsystems | Enabled | Enabled | Enabled | Enabled |
System objects: Strengthen default permissions of internal system objects (for example, Symbolic Links) | Enabled | Enabled | Enabled | Enabled |
Event Log | ||||
Maximum application log size | 20480 KB | 20480 KB | 20480 KB | 20480 KB |
Maximum security log size | 40960 KB | 40960 KB | 81920 KB | 81920 KB |
Maximum system log size | 20,480 KB | 20,480 KB | 20,480 KB | 20,480 KB |
Prevent local guests group from accessing application log | Enabled | Enabled | Enabled | Enabled |
Prevent local guests group from accessing security log | Enabled | Enabled | Enabled | Enabled |
Prevent local guests group from accessing system log | Enabled | Enabled | Enabled | Enabled |
Retention method for application log | As needed | As needed | As needed | As needed |
Retention method for security log | As needed | As needed | As needed | As needed |
Retention method for system log | As needed | As needed | As needed | As needed |
System Services | ||||
Alterter | Disabled | Disabled | Disabled | Disabled |
Application Layer Gateway Service | Disabled | Disabled | Disabled | Disabled |
Application Management | Disabled | Disabled | Disabled | Disabled |
ASP .NET State Service | Disabled | Disabled | Disabled | Disabled |
Automatic Updates | Automatic | Automatic | Automatic | Automatic |
Background Intelligent Transfer Service | Manual | Manual | Manual | Manual |
ClipBook | Disabled | Disabled | Disabled | Disabled |
COM+ Event System | Manual | Manual | Manual | Manual |
COM+ System Application | Disabled | Disabled | Disabled | Disabled |
Computer Browser | Disabled | Disabled | Disabled | Disabled |
Cryptographic Services | Automatic | Automatic | Automatic | Automatic |
DHCP Client | Automatic | Automatic | Automatic | Automatic |
Distributed Link Tracking Client | Disabled | Disabled | Disabled | Disabled |
Distributed Link Tracking Server | Disabled | Disabled | Disabled | Disabled |
Distribution Transaction Coordinator | Disabled | Disabled | Disabled | Disabled |
DNS Client | Automatic | Automatic | Automatic | Automatic |
Error Reporting Service | Disabled | Disabled | Disabled | Disabled |
Event Log | Automatic | Automatic | Automatic | Automatic |
Fax Service | Manual | Manual | Disabled | Disabled |
FTP Publishing | Disabled | Disabled | Disabled | Disabled |
Help and Support | Disabled | Disabled | Disabled | Disabled |
HTTP SSL | Disabled | Disabled | Disabled | Disabled |
Human Interface Device Access | Disabled | Disabled | Disabled | Disabled |
IIS Admin Service | Disabled | Disabled | Disabled | Disabled |
IMAPI CD—Burning COM Service | Disabled | Disabled | Disabled | Disabled |
Indexing Service | Disabled | Disabled | Disabled | Disabled |
IPSec Services | Automatic | Automatic | Automatic | Automatic |
Logical Disk Manager | Manual | Manual | Manual | Manual |
Logical Disk Manager Administrative Service | Manual | Manual | Manual | Manual |
Messenger | Disabled | Disabled | Disabled | Disabled |
MS Software Shadow Copy Provider | Disabled | Disabled | Disabled | Disabled |
Netlogon | Automatic | Automatic | Automatic | Automatic |
NetMeeting Remote Desktop Sharing | Disabled | Disabled | Disabled | Disabled |
Network Connections | Manual | Manual | Manual | Manual |
Network DDE | Manual | Manual | Disabled | Disabled |
Network DDE DSDM | Manual | Manual | Disabled | Disabled |
Network Location Awareness (NLA) | Manual | Manual | Manual | Manual |
Network Provisioning Service | Disabled | Disabled | Disabled | Disabled |
NTLM Support Provider | Automatic | Automatic | Automatic | Automatic |
Performance Logs and Alerts | Manual | Manual | Manual | Manual |
Plug and Play | Automatic | Automatic | Automatic | Automatic |
Portable Media Serial Number | Disabled | Disabled | Disabled | Disabled |
Print Spooler | Disabled | Disabled | Disabled | Disabled |
Protected Storage | Automatic | Automatic | Automatic | |
Remote Access Auto Connection Manager | Disabled | Disabled | Disabled | |
Remote Access Connection Manager | Disabled | Disabled | Disabled | |
Remote Desktop Helper Session Manager | Disabled | Disabled | Disabled | |
Remote Procedure Call (RPC) | Disabled | Disabled | Disabled | Disabled |
Remote Procedure Call (RPC) Locator | Disabled | Disabled | Disabled | Disabled |
Remote Registry Service | Automatic | Automatic | Disabled | Disabled |
Removable Storage | Disabled | Disabled | Disabled | Disabled |
Routing and Remote Access | Disabled | Disabled | Disabled | Disabled |
Secondary Logon | Disabled | Disabled | Disabled | Disabled |
Security Accounts Manager | Automatic | Automatic | Automatic | Automatic |
Server | Automatic | Automatic | Disabled | Disabled |
Shell Hardware Detection | Disabled | Disabled | Disabled | Disabled |
Smart Card | Disabled | Disabled | Disabled | Disabled |
SSDP Discovery Service | Disabled | Disabled | Disabled | Disabled |
System Event Notification | Automatic | Automatic | Automatic | Automatic |
System Restore Service | Disabled | Disabled | Disabled | disabled |
Task Scheduler | Disabled | Disabled | Disabled | Disabled |
TCP/IP NetBIOS Helper Service | Automatic | Automatic | Automatic | Automatic |
Disabled | Disabled | Disabled | Disabled | |
Telnet | Disabled | Disabled | Disabled | Disabled |
Terminal Services | Disabled | disabled | Disabled | Disabled |
Themes | Disabled | Disabled | Disabled | Disabled |
Uninterruptible Power Supply | Disabled | Disabled | Disabled | Disabled |
Volume Shadow Copy | Disabled | Disabled | Disabled | Disabled |
WebClient | Disabled | Disabled | Disabled | Disabled |
Windows Audio | Disabled | Disabled | Disabled | Disabled |
Windows Firewall/Internet Connection Sharing (ICS) | Disabled | Disabled | Enabled | Enabled |
Windows Image Acquisition (WIA) | Disabled | Disabled | Disabled | Disabled |
Windows Installer | Automatic | Automatic | automatic | Automatic |
Windows Management Instrumentation | Automatic | Automatic | Automatic | Automatic |
Windows Management Instrumentation Driver Extensions | Disabled | Disabled | Disabled | Disabled |
Windows Time | Automatic | Automatic | automatic | Automatic |
Windows User Mode Driver Framework | Disabled | Disabled | Disabled | Disabled |
Wireless Zero configuration | Manual | Manual | Manual | Manual |
WMI Performance Adapter | Disabled | Disabled | Disabled | |
Workstation | Automatic | Automatic | Automatic | |
More Info
For more information on the below security settings for hardening Windows XP clients in each of these four environments, see the Windows XP Security Guide v2 found at http://www.microsoft.com/downloads/details.aspx?FamilyId=2D3E25BC-F434-4CC6-A5A7-09A8A229F118&displaylang=en. For a thorough discussion of all security settings available in Windows XP Service Pack 2, see the Threats and Countermeasures Guide at http://go.microsoft.com/fwlink/?LinkId=15159.
Important
Before you implement any security settings or best-practice configurations for your production clients, be sure to test the settings for your environment. Applications, operating systems, and other network constraints can cause issues with these best-practice settings in some instances.
Clients must have basic communication on a network to send and receive e-mail and access network resources. Specific ports must be opened to provide this communication, as shown in Table 5-15. Depending on whether your client needs to communicate in some different manner or has an application that requires a different port opened, these ports will allow secure communications.
Table 5-15. Ports Required for Clients
Description | |
|---|---|
137 (NetBIOS name service) | Used by the browse master service. This port must be opened for WINS and browse master servers. |
138 (NetBIOS datagram service) | Must be open to accept inbound datagrams from NetBIOS applications such as the Messenger service and the Windows Browser. |
139 (NetBIOS session service) | Should be closed unless you run applications or operating systems that must support Windows networking (SMB) connections. If you run Windows NT 4.0, Windows Millennium Edition, Windows 98, or Windows 95, this port must be open on your servers. |
445 (SMB) | Used by basic Windows networking, including file sharing, printer sharing, and remote administration. |
3389 (Remote Desktop Protocol) | Must be open if you are using Terminal Services for application sharing, remote desktop, or remote assistance. |
The local groups that exist on client computers should be controlled to ensure that the correct members belong to the administrative groups that exist on each computer. If these groups are not controlled through Group Policy, the local administrator will be able to control who has administrative control over the computer, and this can lead to insecure configurations and vulnerabilities.
Table 5-16 lists best practices for local group and which users or groups should be configured to belong to each group.
The standard client computer settings might not work for a computer that is used by someone on the IT staff or an administrator’s computer. These users need more privileged access to their own computers, including the ability to install applications, modify their own registries, run Administrative tools, and possibly back up their own computers. These tasks require certain services, ports, and restricted group configurations on the computer. The following sections offer best-practice configurations for computers used by IT staff and administrators to give them the access they need. We will cover only the settings that differ from those for the standard client computer suite described previously.
IT staff and administrators need access to key parts of their computers to access files, folders, and registry values. When an application is installed that needs to update these portions of their computers, the security must not prohibit them from doing these tasks. Instead of listing the exact security settings that need to be made (which would be almost impossible to determine without knowing the application or task), we will look at some of key tasks and responsibilities of an administrator and how to loosen security enough to allow these functions.
Administrators need to access certain services that might otherwise be disabled. You might need to set the following services to manual or automatic:
Alerter
Distributed Link Tracking Client
Help and Support
IIS Admin Service
IMAPI CD-Burning COM Service
Messenger
MS Software Shadow Copy Provider
Remote Procedure Call (RPC)
Remote Procedure Call (RPC) Locator
Removable Storage
Server
Uninterruptible Power Supply
An administrator might also need to install other software to administer other clients, servers, or Active Directory resources, including the following:
Administrative Tools (Admnpak.msi)
Group Policy Management Console (Gpmc.msi)
Windows Support Tools (SupportTools folder on the Windows XP product CD)
Windows XP Resource Kit Tools, which are on the CD-ROM included in the Microsoft Windows XP Professional Resource Kit, Third Edition (Microsoft Press, 2005)
These applications can be installed by Group Policy or by the user of the computer. A user must have administrative privileges to perform the installs.
The recommended local group configuration for a standard client computer does not allow an administrator enough control of her computer to perform her duties. You must consider a different configuration, whether it is deployed using Restricted Groups or manually on each computer. Table 5-17 lists some best-practice configurations for local groups on an IT staff or administrator client machine.
Table 5-17. Restricted Group Best Practices for IT Staff or Administrator Clients
Local Group | Members |
|---|---|
Administrators | Administrator (local) |
Domain Admins | |
Domain<username> (where <username> is the user account for the administrator of the client) | |
Backup Operators | Administrators (local) |
Network Configuration Operators | Administrators (local) |
The Help Desk staff also needs more control over their computers than standard users need. However, they should not have as much control as an administrator. Depending on how your Help Desk is structured, you might have different sets of parameters for different Help Desk staff. For example, some Help Desk staff might be allowed to install applications while others are not. Here are some best-practice configurations for computers used by Help Desk staff to give them the access they need. These settings only represent the differences from the standard client computer suite of settings that are described above.
To fulfill their responsibilities and communicate with network servers and resources, the Help Desk staff will need access to certain services on their client computers that might otherwise be disabled. You might need to set the following services to manual or automatic:
The Help Desk staff might also need to install additional software to perform administration of the clients, servers, or Active Directory objects. Here is a list of applications that many Help Desk personnel need to use:
Administrative Tools (Admnpak.msi)
Group Policy Management Console (Gpmc.msi)
Windows Support Tools (SupportTools folder on the Windows XP product CD)
Windows XP Resource Kit Tools, which are on the CD-ROM included in the Microsoft Windows XP Professional Resource Kit, Third Edition (Microsoft Press, 2005)
Tip
Although these tools provide complete control over all aspects of Active Directory and Group Policy, the Help Desk staff will be delegated privileges within Active Directory and through the GPMC to restrict their control over much of Active Directory.
These applications can be installed using Group Policy, or they can be installed by the user of the computer. To install these tools, the user must have administrative privileges.
The recommended standard local group configuration for a standard client computer will not allow Help Desk staff enough control over their computers to perform their duties. You must consider a different configuration of local groups, whether it is deployed using Restricted Groups or manually on each computer. Table 5-18 lists best-practice configurations for local groups on a Help Desk client.
Table 5-18. Restricted Group Best Practices for Help Desk Clients
Local Group | Members |
|---|---|
Administrators | Administrator (local) |
Domain Admins | |
Domain<username> (where <username> is the user account for the administrator of the client. This is needed when the Help Desk employee needs to install software manually on his computer.) | |
Backup Operators | Administrators (local) or Power Users |
Administrators (local) or Power Users | |
Power Users | Domain<username> (where <username> is the user account for the administrator of the client. This is needed when the Help Desk employee needs to modify local resources but not install applications.) |