Re: [External Sender] [SECURITY] Restricting PC Admin Rights

[Frank Barton <bartonf () HUSSON EDU>]

We have been fluctuating around various points of "no local admin
privileges" for a while. with more and less strict requirements for
exceptions.

One note that I would make for those of you that are in the process of
removing local admin privileges is to make sure that you have a very robust
remote support system that allows your support techs to elevate, even if
the machine is off-campus. All too often people will go to a conference for
whatever, and need to install specific software, or a new update to
software while at the conference in order for them to be able to fully
participate.

We actually have two systems in place for just that occurrence: 1) our
remote support system allows us to pre-install a service that can be
remotely elevated (GoToAssist), so that we can remotely assist users. 2) we
have an on-campus password vault that automatically changes passwords on
all university systems every 30 days (or more frequently if manually
triggered) so that if (1) fails, we can give them the administrator
password, trigger the reset, and as soon as the computer returns to campus,
it is reset.

Now, that being said, I fully support removing local administrative
privileges, and managing by exception in those cases where there is a
documented need (laboratory hardware jumps to mind as something that has
been problematic) Removing local admin privileges has saved us a lot of
work on more than one occasion when faculty and staff have downloaded
dubious applications, or been hit with various social engineering attacks.

Frank

On Mon, Aug 13, 2018 at 12:02 PM, Davis, Chris <CDavis () lourdes edu> wrote:

> For such an easy security measure, this always creates havoc.  On the IT
> side of things, so many things can be prevented with a least privilege
> model.  However, from the other side of the house, we always meet huge
> resistance because we are “taking away admin rights” from our users.
>
> People feel like we don’t trust them.  And from a certain point of view
> that is right.  In the security world, we should not trust anyone.  But at
> the same time, the people I really don’t trust are those that are targeting
> our employees.  So, this is measure that gives some quick security at no
> cost, other than a change in the way our users do things.
>
> I will be watching this thread closely.
>
> Chris
>
>
>
> *Christopher Davis, Ph.D.*
> Chief Information Officer
> Assistant Professor of Education
> Apple Teacher
> Lourdes University
> 6832 Convent Blvd
> <https://maps.google.com/?q=6832+Convent+Blvd&entry=gmail&source=g> | REH
> 003P | Sylvania, OH 43560
> cdavis () lourdes edu
>
> *CyberAware – Be aware. Stay Secure!*
> Lourdes University will never ask you to send sensitive information
> through unsecure channels. Report any message that asks you to provide
> or confirm personal information such as credit card and/or bank
> account numbers, Social Security numbers, passwords, etc. or any
> other suspicious activity to infosec () lourdes edu. For more information
> please visit lourdes.edu/cyberaware.
>
> *CONFIDENTIALITY NOTICE: *The contents of this email message and any
> attachments are intended solely for the addressee(s) and may
> contain confidential and/or privileged information and may be
> legally protected from disclosure. If you are not the intended recipient of
> this message or their agent, or if this message has been addressed to
> you in error, please immediately alert the sender by reply email and then
> delete this message and any attachments. If you are not the intended
> recipient, you are hereby notified that any use, dissemination, copying, or
> storage of this message or its attachments is strictly prohibited.
>
> On Aug 13, 2018, at 11:06 AM, Pardonek, Jim <jpardonek () LUC EDU> wrote:
>
> Not sure if there is somewhere else I can get this info, I’m sure it’s
> been asked before, but I am checking to see how many of your institutions
> restrict admin rights.  We are putting a proposal together to leadership to
> do exactly that as we have had a number of folks fall for scams that
> involve the installation of software on their PCs.
>
> Thanks,
>
>
> *James Pardonek, MS, CISSP, CEH, GSNA*
> *Information Security Officer*
>
>
> * Loyola University Chicago  1032 W. Sheridan Road | Chicago, IL
> <https://maps.google.com/?q=1032+W.+Sheridan+Road+%7C+Chicago,+IL+60660&entry=gmail&source=g>  60660
> <https://maps.google.com/?q=1032+W.+Sheridan+Road+%7C+Chicago,+IL+60660&entry=gmail&source=g>
> *
> * (**: (773) 508-6086 <(773)%20508-6086>*
>
> *Loyola University Chicago will never ask you for your username or
> password.*
> *For the lastest information security news at Loyola, please follow us
> online,*
> *Twitter: @LUCUISO*
> *Facebook: https://www.facebook.com/lucuiso/
> <https://www.facebook.com/lucuiso/>*
> *Our Blog http://blogs.luc.edu/uiso/ <http://blogs.luc.edu/uiso/>*


-- 
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University