How much lockdown is enough?
Of course you dont run all machines as admin! been known since day 1 , been implemented since computers took over the world , which i'll put at 1990.
Security is however a balancing act between usability , conveniance and security . Like it or not. I'm sure most sysadmins would like to just disable all user accounts . There'd be a lot less risk then.
In my place my betters and higher ups have decided no more using any of the following over the network: *
regedit
compmgmt.msc
services.msc
psexec
WMI interface
File sharing (C$)
printmanagement.msc
etc ad infinitum
which basicly means the only way you are going to connect to a PC to fix it is to boot the user off so you can go in through the front door console session ,either remotely with rdp/sccm or in person.
Too much lockdown? not enough? opinions welcome.
*that list is for admins obviously, users are fully lockeddown , as they should be.