Educause Security Discussion mailing list archives
Re: Peeling off desktop Administrator Rights
From: "Stanclift, Michael" <michael.stanclift () ROCKHURST EDU>
Date: Tue, 8 Dec 2009 08:13:08 -0600
It's been my view that removing administrative rights is not only about preventing malware installs, it's also about limiting the liability our campus has in terms of legal issues from software being installed that we don't own, to use of P2P software on campus systems, etc. The idea that users need administrative access to their computer or that they somehow have a right to it is wrong in my opinion. When I go into my office, I have services provided to me by other departments on campus that I do not have full control over. If I need a light bulb replaced in my office, do I have a key to go do it myself or do I just call Physical Plant and have them come over? Sure it'd be faster and probably easier for plant to just go take care of it myself. I know I'm massively over simplifying things here, but you see my point. Just because you can give someone full access to a machine, and they're used to it at home, doesn't mean they should have that access at work. I have full access to the thermostat at home (well, I take that back... my wife does... I'm just a user there too) but I can't just go adjusting the HVAC system at work how I want. We make as much software as possible that we've preapproved user-installable through Group Policy Software Deployment and soon though System Center once we have that up and running. Our staff maintains a repository of approved software installs that require us to do it, so when the user cannot do it themselves it only takes us a few minutes. We have very easy to use remote access software and can usually get stuff installed for them within 24 hours, if not as soon as they call in. Michael Stanclift Network Analyst Rockhurst University http://help.rockhurst.edu (816) 501-4231 PThink before you print! ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of randy marchany [marchany () VT EDU] Sent: Monday, December 07, 2009 4:42 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Peeling off desktop Administrator Rights It's been very interesting to see the different scenarios that you guys have for delegating some priv set to general users. But, IMHO, all of these don't address the real issue: how long does it take for a general user to get a software package installed on their desktop if you don't allow them to do it themselves? Hours? Days? Weeks? As a long time sysadmin (25+ years) I've beginning to think that we (sysadmins) are more of the problem than the users because we set up environments that make address OUR needs/likes and not so much the user requirements. That model dooms a site to failure, I think. The "original" purpose of these restrictions was to prevent users from downloading malware/trojans that were embedded in "cute" programs like aquarium backgrounds, etc. So, the sysadmin in me says "no, no, no, you can't do that" but we never built an efficient mechanism to allow a user to download what THEY need to do THEIR job. I know one of the reasons why I went down this path was because there was only 1 of me and 10K users. 2 events would overwhelm my response capabilities. The attack vectors have changed. Now, malware gets inserted on a desktop without any active user intervention other than surfing the www and having malware downloaded to their desktop which is the very thing we tried to prevent with our "no local admin rights". So, are we going to ban www surfing? Doesn't that impact the business process? Imagine if we sysadmins aren't allowed to surf sites like sourceforge, packetstormsecurity, etc. If that happens, then our job becomes much more difficult. I look at some depts here on campus who let their users install whatever software they want and I don't see any significant increase in bad events happening in those environments. This leads to me question how effective was the user ban? That's why I'm curious to see how long it takes from the time a user requests a software package to be installed on their desktop to the time it actually gets installed. I think you'll see what I'm talking about when we look at the responses. -r.
Current thread:
- Re: Peeling off desktop Administrator Rights, (continued)
- Re: Peeling off desktop Administrator Rights randy marchany (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights Flynn, Gerald (Dec 07)
- Re: Peeling off desktop Administrator Rights Flynn, Gerald (Dec 07)
- Re: Peeling off desktop Administrator Rights Flynn, Gerald (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights randy marchany (Dec 07)
- Re: Peeling off desktop Administrator Rights Flynn, Gerald (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights randy marchany (Dec 07)
- Re: Peeling off desktop Administrator Rights Stanclift, Michael (Dec 08)
- Re: Peeling off desktop Administrator Rights Stanclift, Michael (Dec 08)
- Re: Peeling off desktop Administrator Rights Valdis Kletnieks (Dec 08)
- Re: Peeling off desktop Administrator Rights John Hoffoss (Dec 08)
- Re: Peeling off desktop Administrator Rights Kreider, Randall G (Dec 10)
- Re: Peeling off desktop Administrator Rights Flynn, Gerald (Dec 10)