Educause Security Discussion mailing list archives
Re: Desktop Administrator Question
From: Rich Graves <rgraves () CARLETON EDU>
Date: Wed, 1 Feb 2012 10:36:38 -0600
We're yet another special case that doesn't fit your questions: On our Windows 7 desktops, which are now the majority, nobody is a local administrator. However, all staff/faculty set (but many forget) a personal .\admin account and password, different for every machine, that they are instructed to use for software installation and system administration only. The .\admin account is blocked from domain resources, so there is no incentive to use it for anything but UAC elevation prompts. Help desk techs use a domain account whose password changes twice daily. For offline access, the built-in Administrator account is set to a random value and submitted to a web service which stores it GPG-encrypted. So, we get privilege separation against malware; a UAC speed-bump encouraging some consideration before software installation; two forms of help desk access without password sharing; but no enforcement of policy against unsactioned software. -- Rich Graves http://claimid.com/rcgraves Carleton.edu Sr UNIX and Security Admin CMC135: 507-222-7079 Cell: 952-292-6529
Current thread:
- Desktop Administrator Question Johnson, Jeff (Jan 31)
- Re: Desktop Administrator Question Steven Alexander (Jan 31)
- Re: Desktop Administrator Question Joel Rosenblatt (Jan 31)
- Re: Desktop Administrator Question Lazarus, Carolann (Feb 01)
- Re: Desktop Administrator Question Morrow Long (Feb 01)
- Re: Desktop Administrator Question Rich Graves (Feb 01)
- Re: Desktop Administrator Question Steven Alexander (Feb 01)
- Re: Desktop Administrator Question Kevin Shalla (Feb 02)
- Re: Desktop Administrator Question Johnson, Jeff (Feb 03)
- Re: Desktop Administrator Question Drews, Adam (Feb 02)
- Re: Desktop Administrator Question Johnson, Jeff (Feb 03)
- Re: Desktop Administrator Question Johnson, Jeff (Feb 17)
- <Possible follow-ups>
- Re: Desktop Administrator Question Gramke, Jim (Feb 01)
- Re: Desktop Administrator Question Steve Kuchta (Feb 01)