Educause Security Discussion mailing list archives
Re: User Privilege Levels.
From: "Daly, Douglas" <DDALY () NYMC EDU>
Date: Tue, 24 Feb 2009 09:01:59 -0500
Matt, We do not grant end users administrative privileges. If they need elevated privileges, help desk will remote desktop to the computer, elevate privileges or assist with installation and then demote privileges. Allowing administrative access to end users is a recipe for major help desk headaches. If an end user insists (usually a faculty researcher) on having administrative access to "his" computer, we will not join it to the domain and assistance stops at the network jack. All college owned computers must be running our campus anti-virus application (Trend Micro here). We went from Novell to Windows many years ago but the one thing I would have done differently is I would have created OU's for the various groups, e.g. students, faculty, staff. That would have allowed us to customize the password policy and made printing customization easier. Back when we made the change, we didn't have a policy requiring regular password changes. We don't restrict access to computers to one (or a small group of) user(s). That's not a bad idea, but it does require a lot of management time. Restricting administrative computers to just the members of the department will enhance security. One last item... We have a common, local administrator password that is known only to help desk. Local accounts at the workstations are not created so everyone using the computer authenticates to the domain. Regards, Douglas Daly Associate Director, Technical Services New York Medical College Valhalla, NY 10595 914.594.4961 -----Original Message----- From: Matthew Gracie [mailto:graciem () CANISIUS EDU] Sent: Monday, February 23, 2009 10:46 AM Subject: User Privilege Levels. We're in the midst of planning a rollout to Active Directory for our end user authentication, and so we'll be joining all college-owned end user computers to the domain. I'm curious about privilege levels. What sort of access are other institutions giving their users to their computers? * Are your users granted Administrative power over their own machines? * Do you have a uniform level for all employees, or does it vary by position? * Can an employee move between schemes, applying for greater access after passing a security training test or some similar mechanism? Thanks for any replies. Feel free to respond off-list, if you like. --Matt -- Matt Gracie (716) 888-8378 Information Security Administrator graciem () canisius edu Canisius College ITS Buffalo, NY http://www2.canisius.edu/~graciem/graciem_public_key.gpg
Current thread:
- User Privilege Levels. Matthew Gracie (Feb 23)
- <Possible follow-ups>
- Re: User Privilege Levels. Karen Stopford (Feb 23)
- Re: User Privilege Levels. Tupker, Mike (Feb 23)
- Re: User Privilege Levels. Stanclift, Michael (Feb 23)
- Re: User Privilege Levels. Karen Stopford (Feb 23)
- Re: User Privilege Levels. Themba Flowers (Feb 23)
- Re: User Privilege Levels. Daly, Douglas (Feb 24)
- Re: User Privilege Levels. Jim Pollard (Feb 24)
- Re: User Privilege Levels. Karen Stopford (Feb 24)
- Re: User Privilege Levels. Basgen, Brian (Feb 24)
- Re: User Privilege Levels. Gary Flynn (Feb 24)
- Re: User Privilege Levels. Spransy, Derek (Feb 24)
- Re: User Privilege Levels. Karen Stopford (Feb 24)
- Re: User Privilege Levels. Stanclift, Michael (Feb 24)
- Re: User Privilege Levels. Harold Winshel (Feb 24)
- Re: User Privilege Levels. Gary Flynn (Feb 25)
- Re: User Privilege Levels. Spransy, Derek (Feb 25)
(Thread continues...)