Educause Security Discussion mailing list archives
Re: Windows Local Administrative Privilges
From: "Parker, Ron" <Ron.Parker () BRAZOSPORT EDU>
Date: Mon, 10 Apr 2006 08:30:19 -0500
Our policy is that, by default, no user has local admin privileges on their PC. The exceptions we've made are: 1) users with laptops who actually travel with them and need to change settings while away from campus; and 2) users in departments like computer science that need to be able to fiddle with things as part of their teaching. It is hard for me to imagine a reason to give local admin privs to any non-faculty other than staff that travel extensively with laptops. My staff has to work very hard sometimes to make applications work within Windows XP given these restrictions but we think the effort is worth it. I also have a policy that if a user can't install something on their computer because they aren't admin on it, they can call the helpdesk and we will have someone there within a few minutes to do the install for them. This has eliminated the excuse that the lack of privileges is preventing them from getting critical work done. It also insures that my staff gets to know what they are installing and can verify the license status for the software before it is installed. I get plenty of requests to over-ride the admin user policy but very few of those requests are granted because in most cases the user can't demonstrate a business-related need for the privilege. Most of the time, I think the issue is a control issue. No one, including me, likes to be told what to do or what we can't do. However, the analogy I use is that we don't allow unlimited access to sensitive resources anymore than the business office gives out the combination to the safe to everyone who works here. If a device is attached to the network, it is a security risk and must be managed in that context. -- Ron Parker, Director of Information Technology, Brazosport College ________________________________ From: Harold Winshel [mailto:winshel () CAMDEN RUTGERS EDU] Sent: Sunday, April 09, 2006 9:12 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Windows Local Administrative Privilges Just wondering for some viewpoints on the pros and cons of letting the end-users in an academic environment have local administrative access on their windows pc's. Harold Harold Winshel Computing and Instructional Technologies Faculty of Arts & Sciences Rutgers University, Camden Campus 311 N. 5th Street, Room B36 Armitage Hall Camden NJ 08102 (856) 225-6669 (O)
Current thread:
- Windows Local Administrative Privilges Harold Winshel (Apr 09)
- <Possible follow-ups>
- Re: Windows Local Administrative Privilges Julian Y. Koh (Apr 09)
- Re: Windows Local Administrative Privilges Harold Winshel (Apr 09)
- Re: Windows Local Administrative Privilges Julian Y. Koh (Apr 09)
- Re: Windows Local Administrative Privilges Harold Winshel (Apr 09)
- Re: Windows Local Administrative Privilges Russell Fulton (Apr 09)
- Re: Windows Local Administrative Privilges Parker, Ron (Apr 10)
- Re: Windows Local Administrative Privilges Daniel R Jones (Apr 10)