Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Windows Local Administrative Privilges

From: "Parker, Ron" <Ron.Parker () BRAZOSPORT EDU>
Date: Mon, 10 Apr 2006 08:30:19 -0500
Our policy is that, by default, no user has local admin privileges on
their PC. The exceptions we've made are: 1) users with laptops who
actually travel with them and need to change settings while away from
campus; and 2) users in departments like computer science that need to
be able to fiddle with things as part of their teaching. It is hard for
me to imagine a reason to give local admin privs to any non-faculty
other than staff that travel extensively with laptops. 
 
My staff has to work very hard sometimes to make applications work
within Windows XP given these restrictions but we think the effort is
worth it.  I also have a policy that if a user can't install something
on their computer because they aren't admin on it, they can call the
helpdesk and we will have someone there within a few minutes to do the
install for them. This has eliminated the excuse that the lack of
privileges is preventing them from getting critical work done. It also
insures that my staff gets to know what they are installing and can
verify the license status for the software before it is installed. 
 
I get plenty of requests to over-ride the admin user policy but very few
of those requests are granted because in most cases the user can't
demonstrate a business-related need for the privilege. Most of the time,
I think the issue is a control issue. No one, including me, likes to be
told what to do or what we can't do. However, the analogy I use is that
we don't allow unlimited access to sensitive resources anymore than the
business office gives out the combination to the safe to everyone who
works here.
 
If a device is attached to the network, it is a security risk and must
be managed in that context.
 
--
Ron Parker, Director of Information Technology, Brazosport College

 

 

________________________________

        From: Harold Winshel [mailto:winshel () CAMDEN RUTGERS EDU] 
        Sent: Sunday, April 09, 2006 9:12 AM
        To: SECURITY () LISTSERV EDUCAUSE EDU
        Subject: [SECURITY] Windows Local Administrative Privilges
        
        
        Just wondering for some viewpoints on the pros and cons of
letting the end-users in an academic environment have local
administrative access on their windows pc's.
        
        Harold
        
        

        Harold Winshel
        Computing and Instructional Technologies
        Faculty of Arts & Sciences
        Rutgers University, Camden Campus
        311 N. 5th Street, Room B36 Armitage Hall 
        Camden NJ 08102
        (856) 225-6669 (O)
Previous By Date Next
Previous By Thread Next

Current thread: