Educause Security Discussion mailing list archives

Re: Restricting PC Admin Rights

From: Gregory Keane <gkeane () UDEL EDU>
Date: Mon, 13 Aug 2018 11:44:07 -0400

Jim,
Here's a shot at gathering some stats from last year.
https://er.educause.edu/articles/2018/2/reclaiming-the-keys-to-the-kingdom-examining-end-user-administrator-rights-in-higher-education


On Mon, Aug 13, 2018 at 11:33 AM Andrew Chiarello <achiarello () brynmawr edu>
wrote:

Thanks, Robert - I'll include that in my next proposal to make this
change. It's not that I disagree in principle, but I've not had a lot of
success convincing my administration it's a necessary change.


Andrew J. Chiarello

Lead Engineer, Infrastructure & Systems

Bryn Mawr College

achiarello () brynmawr edu

(610) 526-7966
------------------------------
*From:* The EDUCAUSE Security Constituent Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Barton, Robert W. <
bartonrt () LEWISU EDU>
*Sent:* Monday, August 13, 2018 11:15:07 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Restricting PC Admin Rights


Just a couple of things to think about.

-        When we received an outside review, local admin rights for all
logins was a “failing score”.  If audited for PCI, we would fail.

-        If you adhere to a policy of least privilege, this would be a
break from that policy.

-        Here is an article about it,
https://searchenterprisedesktop.techtarget.com/opinion/Why-you-should-remove-local-administrator-rights-once-and-for-all



Robert W. Barton

Director of Information Security

Lewis University

One University Parkway

Romeoville, IL  60446-2200

815-836-5663



*From:* The EDUCAUSE Security Constituent Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Andrew Chiarello
*Sent:* Monday, August 13, 2018 10:08 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Restricting PC Admin Rights



We do not restrict admin rights (and all proposals to do so have been
squelched before getting very far).



Andrew J. Chiarello

Lead Engineer, Infrastructure & Systems

Bryn Mawr College

achiarello () brynmawr edu

(610) 526-7966
------------------------------

*From:* The EDUCAUSE Security Constituent Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Pardonek, Jim <
jpardonek () LUC EDU>
*Sent:* Monday, August 13, 2018 11:06:29 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* [SECURITY] Restricting PC Admin Rights



Not sure if there is somewhere else I can get this info, I’m sure it’s
been asked before, but I am checking to see how many of your institutions
restrict admin rights.  We are putting a proposal together to leadership to
do exactly that as we have had a number of folks fall for scams that
involve the installation of software on their PCs.



Thanks,





*James Pardonek, MS, CISSP, CEH, GSNA*

*Information Security Officer*


* Loyola University Chicago  1032 W. Sheridan Road | Chicago, IL  60660 *
* (**: (773) 508-6086*



*Loyola University Chicago will never ask you for your username or
password.*

*For the lastest information security news at Loyola, please follow us
online,*

*Twitter: @LUCUISO*

*Facebook: https://www.facebook.com/lucuiso/
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Flucuiso%2F&data=02%7C01%7Cachiarello%40BRYNMAWR.EDU%7C3b5210fa95714693d96908d6012f8ff1%7Cc94b117b616347fd93f8b8001804ae6f%7C1%7C0%7C636697701127661892&sdata=sx4J5pO%2F91JDNwxABxkv1W9qlyusKmoljk85yDUOe1I%3D&reserved=0>*

*Our Blog http://blogs.luc.edu/uiso/
<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fblogs.luc.edu%2Fuiso%2F&data=02%7C01%7Cachiarello%40BRYNMAWR.EDU%7C3b5210fa95714693d96908d6012f8ff1%7Cc94b117b616347fd93f8b8001804ae6f%7C1%7C0%7C636697701127661892&sdata=mep%2B8HxaWJX4P3PdJz1beDlvIO4tuzf5qNwJuXcJ3fY%3D&reserved=0>*



This message (including any attachments) is intended only for the use of
the individual or entity to which it is addressed and may contain
information that is non-public, proprietary, privileged, confidential, and
exempt from disclosure under applicable law or may constitute as attorney
work product. If you are not the intended recipient, you are hereby
notified that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this
communication in error, notify us immediately by telephone at
(815)-836-5950 and (i) destroy this message if a facsimile or (ii) delete
this message immediately if this is an electronic communication. Thank you.



-- 
Greg Keane, CISSP
College of Agriculture and Natural Resources
(302)831-0867
canr.udel.edu

Current thread:

Restricting PC Admin Rights Pardonek, Jim (Aug 13)
- Re: Restricting PC Admin Rights Andrew Chiarello (Aug 13)
  - Re: Restricting PC Admin Rights Barton, Robert W. (Aug 13)
    - Re: Restricting PC Admin Rights Andrew Chiarello (Aug 13)
    - Re: Restricting PC Admin Rights Gregory Keane (Aug 13)
  - Re: Restricting PC Admin Rights McHugh, Susan (Aug 13)
    - Re: Restricting PC Admin Rights Jack Barrett (Aug 13)
    - Re: Restricting PC Admin Rights Kevin Ledbetter (Aug 13)
    - Re: Restricting PC Admin Rights Gregg, Christopher S. (Aug 14)
    - Re: Restricting PC Admin Rights Alex Lindstrom (Aug 14)
    - Re: Restricting PC Admin Rights Ronald King (Aug 20)
- Re: Restricting PC Admin Rights WALTER KERNER (Aug 13)
- Re: Restricting PC Admin Rights Simanovich, Roman (Aug 13)
- Re: Restricting PC Admin Rights Joanna Grama (Aug 13)
- Re: Restricting PC Admin Rights Seymour, Patrick (Aug 13)

(Thread continues...)