Educause Security Discussion mailing list archives
Re: Restricting PC Admin Rights
From: "Simanovich, Roman" <rsimanovich () USJ EDU>
Date: Mon, 13 Aug 2018 15:15:26 +0000
Hi Jim, Here is the information I have compiled regarding local administrator privileges and have sent to my senior managers. I am not in charge of making the decisions but try to ensure whoever is in charge of making the decision understands the repercussions. Local Admin Rights - These are the permissions associated with having local admin privileges Install/Uninstall Software (Legitimate, Unauthorized, Unlicensed, Malware) Execute programs with local admin rights (malware, legacy applications) Modify system settings/services Disable/modify system security features/settings (Logging, Encryption, Endpoint Protection) Access/Modify/Delete all files stored on local system Communicate directly with Active Directory There are three fundamental objectives in information security, Confidentiality, Integrity, and Availability (CIA). If end-users with Local Admin Privileges are allowed to make major administrative changes to their computers, then we cannot guarantee the integrity of their systems which then means that we cannot guarantee the integrity of our internal network to which these systems connect to. This is a domino effect which leads eventually to the integrity of all information assets stored and transmitted throughout our network. In security there exists a principle of least privilege, meaning users should only have the minimum permissions required to be able to complete their job responsibilities. This is not only a best practice but is also a fundamental requirement of every compliance framework. The following questions are what we should be asking to identify whether users require local admin privileges. There will be some users who do require local admin privileges either to run legacy software or because it is required for them to complete their job responsibilities, so there should be an exceptions process created to account for this. Questions - These are the questions the decision maker needs to answer to decide whether to limit local admin privileges. Do users need ability to install/remove software (authorize/unauthorized/unlicensed/malware)? Do users need ability to execute programs with admin privileges (legacy applications/malware)? Do users need ability to modify system security settings(logging/encryption /screen locking)? Should users have permissions to disable windows/application updates? Should users have permissions to disable endpoint protection? Should users have permissions to access data of other users on shared systems? Thank you, Roman Roman Simanovich Information Security Specialist University of Saint Joseph 1678 Asylum Avenue West Hartford, CT 06117 860-231-5374 [USJ_logo-stacked-fullC-RGB] Emails from USJ IT employees will always come from an @usj.edu email address and contain a signature that includes contact information. From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Pardonek, Jim Sent: Monday, August 13, 2018 11:06 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Restricting PC Admin Rights Not sure if there is somewhere else I can get this info, I'm sure it's been asked before, but I am checking to see how many of your institutions restrict admin rights. We are putting a proposal together to leadership to do exactly that as we have had a number of folks fall for scams that involve the installation of software on their PCs. Thanks, James Pardonek, MS, CISSP, CEH, GSNA Information Security Officer Loyola University Chicago 1032 W. Sheridan Road | Chicago, IL 60660 *: (773) 508-6086 Loyola University Chicago will never ask you for your username or password. For the lastest information security news at Loyola, please follow us online, Twitter: @LUCUISO Facebook: https://www.facebook.com/lucuiso/ Our Blog http://blogs.luc.edu/uiso/
Current thread:
- Re: Restricting PC Admin Rights, (continued)
- Re: Restricting PC Admin Rights Barton, Robert W. (Aug 13)
- Re: Restricting PC Admin Rights Andrew Chiarello (Aug 13)
- Re: Restricting PC Admin Rights Gregory Keane (Aug 13)
- Re: Restricting PC Admin Rights Barton, Robert W. (Aug 13)
- Re: Restricting PC Admin Rights McHugh, Susan (Aug 13)
- Re: Restricting PC Admin Rights Jack Barrett (Aug 13)
- Re: Restricting PC Admin Rights Kevin Ledbetter (Aug 13)
- Re: Restricting PC Admin Rights Gregg, Christopher S. (Aug 14)
- Re: Restricting PC Admin Rights Alex Lindstrom (Aug 14)
- Re: Restricting PC Admin Rights Ronald King (Aug 20)
- Re: [External Sender] [SECURITY] Restricting PC Admin Rights Frank Barton (Aug 13)
- Message not available
- Re: Restricting PC Admin Rights Richard Gould (Aug 13)
- Re: Restricting PC Admin Rights Frank Barton (Aug 13)
- Re: Restricting PC Admin Rights Frank Barton (Aug 13)