Survey of Administrative Rights security policy at peer universities

["Davis,William" <William.S.Davis () COLOSTATE EDU>]

The following is a summary of the Administrative Rights Survey that I posted a couple weeks ago.  Thanks to all who 
responded!  I have tried to condense the various comments into a semblance of categories.  If you have specific 
questions, please feel free to contact me via my email address listed at the bottom.

Administrative Rights Survey Results:

Responses:
36 North American University/College departments

General Policy on granting local administrator privileges
24 Default Deny
12 Default Permit

If policy is to deny admin privileges, are exceptions allowed?
17 Yes
5 No
2 N/A

What constitutes an exception?
12 Business need
 3 Not connected to staff Windows Domain or staff network
 2 Self managed or requested by user

What constitutes "Business Need"?
- Laptops used in mobile environment
- Specialized software requiring admin rights to run Software requiring frequent updates
    that is not managed centrally
- Anyone making a request

If policy is to permit admin privileges, are exceptions made to remove rights?
6 Yes
0 No
6 N/A

What circumstances result in loss of privileges?
Abuse/repeated infections
Sensitive data
New employees/student employees
No business need
Multi-user systems

Significant Infection (15 respondents):
4 with 0 infections - default policy deny local admin rights no exceptions
2 with 0 infections - denied local admin rights only on staff networks

5 with 0 infections - exceptions allowed for business need
2 with 2 or more infections - exceptions allowed for business need

1 with 2 or more infections -default policy permits local admin rights
1 with 10 or more infections - default policy permits local admin rights

General Comments supporting Policy of Deny:
- Attacks are more sophisticated and have changed from vandal to thief
- Significant Infection allowed change to "Deny" policy Education is especially
    effective after a compromise
- Required less support time/Reduced load on Help Desk
- IT staff or users with exceptions must have 2 accounts
    both admin and non-admin, used appropriately.
- Issue was really customer service, granted exception only if all other
    options exhausted
- Require approval signature for exceptions Require signed user agreement for exceptions
- Require user education for exceptions
- Must submit needs analysis for non-standard software requiring exception
- Exceptions permitted only on non-staff networks

General Comments supporting Policy of Permit:
- Policy easier to administer, remove if abuse detected
- Only for single user computers
- Must have patches, anti-virus/anti-spyware
- Must balance risk versus user need
- User perception of need made deny policy difficult


-Bill
*****************************************************************************************
William S. Davis      SANS security certifications:  GSEC,GCIH,GCFW,GCIA
Network Security Administrator
Housing Technology Services
Colorado State University
William S. Davis () colostate edu
******************************************************************************************