Educause Security Discussion mailing list archives
Re: Non-administrator advantages / disadvantages
From: Chuck Braden <j-braden () TAMU EDU>
Date: Sat, 1 Dec 2012 16:32:53 +0000
Chuck Braden <j-braden () tamu edu> wrote: I see both sides of this issue. However, i am not sure what poses the bigger risk. In this age, users ( especially higher ed users that should be able to understand the 'EDUCATION' part) can't just be passive participants -they have to have some basic awareness of how to maintain the tools they need to perform their job just like anyone else. Organizations should have a continual training program in place that raises awareness about the most basic resposibilities that accompany use. That being good email/password practices, routine software updates, installation of properly licensed software that is necessary to perform a business function, and holding these individuals accountable when they it get it wrong. Do all faculty/staff need admin access? No probably not. Some might require it due to the accessability/availability of support staff, while other institutions might be able to rely on wsus and group-policies, which should reset any changes in local policies that potentially were altered by the local admin account anyway. Most malware can still infect limited accounts now. Yes, the impact is less and cleanup is usually less involved. But not providing admin is no longer the benefit it used to. I see some value in not having a user logged in as admin at all times, which also aligns with least privilege guidelines. However, i recognize the issue with having a limited account for general access and an admin account for software updates ( and the less than ideal unique password selection that could be a side effect). As for myself, my general limited id is the only one that is defined in active directory so i can't effectively accomplish my job ( no drive maping to server storage), when logged in as admin. While i acknowledge that has some drawbacks with the managment of the password expiration of the local account from active directory, as the group policy is setting the global password expiration and complexity/length for all accounts on the workstation, the admin account is not likely to be ignored. And as i understand it, there now are tools to manage passwords on local workstation accouts now, but i dont have any personal experience with them. For my needs/use, i believe my implementation provides the benefits of both environments. But, ymmv. Geoffrey Steven Nathan <geoffnathan () WAYNE EDU> wrote:
Current thread:
- Re: Non-administrator advantages / disadvantages, (continued)
- Re: Non-administrator advantages / disadvantages Shalla, Kevin (Nov 30)
- Re: Non-administrator advantages / disadvantages randy (Dec 02)
- Re: Non-administrator advantages / disadvantages Steven Alexander (Dec 03)
- Re: Non-administrator advantages / disadvantages Shalla, Kevin (Nov 30)
- Re: Non-administrator advantages / disadvantages Steven Alexander (Nov 27)
- Re: Non-administrator advantages / disadvantages Shalla, Kevin (Nov 30)
- Re: Non-administrator advantages / disadvantages Christopher R Webber (Nov 30)
- Re: Non-administrator advantages / disadvantages Eric C. Lukens (Nov 30)
- Re: Non-administrator advantages / disadvantages Eric Case (Dec 01)
- Re: Non-administrator advantages / disadvantages Shalla, Kevin (Nov 30)
- Re: Non-administrator advantages / disadvantages Jeff Kell (Dec 01)