Educause Security Discussion mailing list archives
Survey of Administrative Rights security policy at peer universities
From: "Davis,William" <William.S.Davis () COLOSTATE EDU>
Date: Thu, 25 Oct 2007 09:14:31 -0600
The following is a summary of the Administrative Rights Survey that I posted a couple weeks ago. Thanks to all who responded! I have tried to condense the various comments into a semblance of categories. If you have specific questions, please feel free to contact me via my email address listed at the bottom. Administrative Rights Survey Results: Responses: 36 North American University/College departments General Policy on granting local administrator privileges 24 Default Deny 12 Default Permit If policy is to deny admin privileges, are exceptions allowed? 17 Yes 5 No 2 N/A What constitutes an exception? 12 Business need 3 Not connected to staff Windows Domain or staff network 2 Self managed or requested by user What constitutes "Business Need"? - Laptops used in mobile environment - Specialized software requiring admin rights to run Software requiring frequent updates that is not managed centrally - Anyone making a request If policy is to permit admin privileges, are exceptions made to remove rights? 6 Yes 0 No 6 N/A What circumstances result in loss of privileges? Abuse/repeated infections Sensitive data New employees/student employees No business need Multi-user systems Significant Infection (15 respondents): 4 with 0 infections - default policy deny local admin rights no exceptions 2 with 0 infections - denied local admin rights only on staff networks 5 with 0 infections - exceptions allowed for business need 2 with 2 or more infections - exceptions allowed for business need 1 with 2 or more infections -default policy permits local admin rights 1 with 10 or more infections - default policy permits local admin rights General Comments supporting Policy of Deny: - Attacks are more sophisticated and have changed from vandal to thief - Significant Infection allowed change to "Deny" policy Education is especially effective after a compromise - Required less support time/Reduced load on Help Desk - IT staff or users with exceptions must have 2 accounts both admin and non-admin, used appropriately. - Issue was really customer service, granted exception only if all other options exhausted - Require approval signature for exceptions Require signed user agreement for exceptions - Require user education for exceptions - Must submit needs analysis for non-standard software requiring exception - Exceptions permitted only on non-staff networks General Comments supporting Policy of Permit: - Policy easier to administer, remove if abuse detected - Only for single user computers - Must have patches, anti-virus/anti-spyware - Must balance risk versus user need - User perception of need made deny policy difficult -Bill ***************************************************************************************** William S. Davis SANS security certifications: GSEC,GCIH,GCFW,GCIA Network Security Administrator Housing Technology Services Colorado State University William S. Davis () colostate edu ******************************************************************************************
Current thread:
- Survey of Administrative Rights security policy at peer universities Davis,William (Oct 01)
- <Possible follow-ups>
- Survey of Administrative Rights security policy at peer universities Davis,William (Oct 25)
- Re: Survey of Administrative Rights security policy at peer universities Harold Winshel (Oct 25)
- Re: Survey of Administrative Rights security policy at peer universities Davis,William (Oct 25)