Educause Security Discussion mailing list archives
Re: Administrative v/s power user Access for Staff and students
From: Gary Flynn <flynngn () JMU EDU>
Date: Fri, 6 Mar 2009 17:08:12 -0500
Anand S Malwade wrote:
I was wondering what other universities are doing in limiting administrative access on Desktops and laptops for Staff ?The rationale being as we know that enterprise workstations run as administrator also makes the network vulnerable to malware including viruses, Trojan horses, spyware, adware and unintentional user damage. Malware can exploit a local administrator account’s system-level access to damage files, change system configurations, and even transmit confidential data outside of the network. Ensuring that all users run as standard users is the primary way to help mitigate the impact.
Has anyone tried giving Power User level access as opposed to full admin rights and if yes what was the overall experience ?
If I remember correctly, power users have write and modify rights to the windows directory and the system portions of the registry. We decided it wouldn't help protect against compromises very much. We've converted all of IT and some sensitive administrative departments to regular user account use for day to day activities. Some isolated areas have taken the initiative and converted themselves. Our strategy to proceed further can be summed up as: 1. Increase the number of application installation packages available through SMS. 2. Continue to deploy a supporting infrastructure that enables us to better operate, support, and react to changes due to the new environment. a. Managed desktop environment based on Active Directory domain b. Scripting server and repository for automation of solutions c. remote control d. BeyondTrust Privilege Manager - templates and group policies allow defined programs to run with administrative privileges under user account and profile - "magic folder" where a user can put a trusted program. When run from the "magic folder" it will run with administrative privileges. Yes, that means they can put happy_valentine.exe in that folder but we're hoping to address that issue with education, folder naming, and other procedures. 3. Evolve support, documentation, and training resources to align with the new environment. a. Remote control support capabilities b. Login warning popups if account has administrative privileges 4. Tactical solutions to be used as necessary as 1-3 mature a. On-request helpdesk elevation of domain account to local machine administrator by moving domain account into a unique domain group associated with each computer in the computer's local administrators group. ( whew ) b. Separate administrator account to be used for: -RUNAS -UAC -Direct login -Temporary self elevation of domain account to administrator as described in (a) -scripts and prepackaged shortcuts to help automation c. Selective ACL adjustments on folders, files, and registry keys to allow the user account additional rights to low risk areas for poorly written applications that won't run unmodified under a regular user account. Ask us in a year how it went. :) Note that its not a panacea. Functional malware can be written using only user rights though it won't be able to hide and embed itself so well nor affect system processes like AV, the firewall, and automatic updates. -Automatic startup on user login - User profile startup folder \Documents and Settings\user\Start Menu\Programs\Startup -Access to sensitive data in user accessible areas: My Documents Network folders USB and optical drives Encrypted data -Screen scraping -Keystroke logging -Generate network traffic -Communicate with third parties via e-mail, http, IRC, custom protocols, and almost anything else -Privilege elevation Locally exploitable, unpatched defects Some sophisticated Windows message injection attacks For truly sensitive areas, a professionally administered white list of executables is the only solution. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Administrative v/s power user Access for Staff and students Anand S Malwade (Mar 06)
- <Possible follow-ups>
- Re: Administrative v/s power user Access for Staff and students Tupker, Mike (Mar 06)
- Re: Administrative v/s power user Access for Staff and students Brian Desmond (Mar 06)
- Re: Administrative v/s power user Access for Staff and students Stanclift, Michael (Mar 06)
- Re: Administrative v/s power user Access for Staff and students Gary Flynn (Mar 06)
- Re: Administrative v/s power user Access for Staff and students Brian K . Doré (Mar 06)
- Re: Administrative v/s power user Access for Staff and students Kevin Shalla (Mar 09)