Re: Restricting PC Admin Rights

["Simanovich, Roman" <rsimanovich () USJ EDU>]

Hi Jim,

Here is the information I have compiled regarding local administrator privileges and have sent to my senior managers. I 
am not in charge of making the decisions but try to ensure whoever is in charge of making the decision understands the 
repercussions.

Local Admin Rights - These are the permissions associated with having local admin privileges
Install/Uninstall Software (Legitimate, Unauthorized, Unlicensed, Malware)
Execute programs with local admin rights (malware, legacy applications)
Modify system settings/services
Disable/modify system security features/settings (Logging, Encryption, Endpoint Protection)
Access/Modify/Delete all files stored on local system
Communicate directly with Active Directory

There are three fundamental objectives in information security, Confidentiality, Integrity, and Availability (CIA). If 
end-users with Local Admin Privileges are allowed to make major administrative changes to their computers, then we 
cannot guarantee the integrity of their systems which then means that we cannot guarantee the integrity of our internal 
network to which these systems connect to. This is a domino effect which leads eventually to the integrity of all 
information assets stored and transmitted throughout our network.

In security there exists a principle of least privilege, meaning users should only have the minimum permissions 
required to be able to complete their job responsibilities. This is not only a best practice but is also a fundamental 
requirement of every compliance framework. The following questions are what we should be asking to identify whether 
users require local admin privileges. There will be some users who do require local admin privileges either to run 
legacy software or because it is required for them to complete their job responsibilities, so there should be an 
exceptions process created to account for this.

Questions - These are the questions the decision maker needs to answer to decide whether to limit local admin 
privileges.

Do users need ability to install/remove software (authorize/unauthorized/unlicensed/malware)?

Do users need ability to execute programs with admin privileges (legacy applications/malware)?

Do users need ability to modify system security settings(logging/encryption /screen locking)?

Should users have permissions to disable windows/application updates?

Should users have permissions to disable endpoint protection?

Should users have permissions to access data of other users on shared systems?


Thank you,
Roman

Roman Simanovich
Information Security Specialist
University of Saint Joseph
1678 Asylum Avenue
West Hartford, CT 06117
860-231-5374
[USJ_logo-stacked-fullC-RGB]

Emails from USJ IT employees will always come from an @usj.edu email address and contain a signature that includes 
contact information.

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Pardonek, Jim
Sent: Monday, August 13, 2018 11:06 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Restricting PC Admin Rights

Not sure if there is somewhere else I can get this info, I'm sure it's been asked before, but I am checking to see how 
many of your institutions restrict admin rights.  We are putting a proposal together to leadership to do exactly that 
as we have had a number of folks fall for scams that involve the installation of software on their PCs.

Thanks,


James Pardonek, MS, CISSP, CEH, GSNA
Information Security Officer
Loyola University Chicago
1032 W. Sheridan Road | Chicago, IL  60660

*: (773) 508-6086

Loyola University Chicago will never ask you for your username or password.
For the lastest information security news at Loyola, please follow us online,
Twitter: @LUCUISO
Facebook: https://www.facebook.com/lucuiso/
Our Blog http://blogs.luc.edu/uiso/