Educause Security Discussion mailing list archives
Re: Updated criteria for allowing local admin privileges on workstations
From: Judith Tabron <judith.tabron () GMAIL COM>
Date: Thu, 27 Feb 2020 11:02:54 -0500
I think Robert's policy is a good one, Jim, but I'd also say you're on the right track if you want to more fully leverage management tools to segment out machines that are not centrally managed. JAMF and InTune (I know something about JAMF, nothing about InTune) might help you a bit, but you also might want to put such users in their own Active Directory group for different GPO management, and/or their own network. I've had use cases where a researcher needs to use special software (especially software that won't run unless it's root, ugh), but plenty of those users don't have the technical wherewithal to manage their machine to central office's standards. Finding a way to let them do what they have to do while minimizing danger to the rest of the users/network and providing them with a level of support that's inbetween fully-managed and hands-off is necessary, I think. Rooting for you, Judith On Wed, Feb 26, 2020 at 4:57 PM Robert Berlinger <Robert.Berlinger () cuny edu> wrote:
Hi Jim, I wrote a policy to put some structure around local admin approvals that you might find helpful: https://www.cuny.edu/wp-content/uploads/sites/4/page-assets/about/administration/offices/cis/information-security/security-policies-procedures/Local-Administrative-Privileges-2018-12-12.pdf *Robert N. Berlinger, CISSP* Chief Information Security Officer City University Of New York security.cuny.edu *From:* The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Jim A. Bole *Sent:* Wednesday, February 26, 2020 4:18 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] Updated criteria for allowing local admin privileges on workstations We’re reviewing what valid use cases there might be for giving someone local admin privileges on their workstation (PC or Mac). Currently we default to no admin rights. On Macs we are running Mojave and have just started using Jamf Pro. On PCs we are at Win10 and just starting to deploy InTune. I don’t’ think we haven’t fully leveraged these tools capabilities to allow users more flexibility with self-service apps, etc. I’m curious what typical cases folks are seeing for various groups of users (faculty, staff, etc.) that would require giving users full admin privileges. I did run across this thread from 2018: http://listserv.educause.edu/scripts/wa.exe?A2=SECURITY;6e798529.1808 Thanks. Jim Bole Director of Information Security *Stevenson University* 1525 Greenspring Valley Road Stevenson, MD, 21153-0641 jbole () stevenson edu | O: 443-334-2696 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Updated criteria for allowing local admin privileges on workstations Jim A. Bole (Feb 26)
- Re: Updated criteria for allowing local admin privileges on workstations Robert Berlinger (Feb 26)
- Re: Updated criteria for allowing local admin privileges on workstations Judith Tabron (Feb 27)
- Re: Updated criteria for allowing local admin privileges on workstations King, Ronald A. (Feb 27)
- Re: Updated criteria for allowing local admin privileges on workstations randy (Feb 27)
- Re: Updated criteria for allowing local admin privileges on workstations Joel McKenzie (Feb 28)
- Re: Updated criteria for allowing local admin privileges on workstations Beth Albertson (Mar 02)
- Re: Updated criteria for allowing local admin privileges on workstations randy (Feb 27)
- Re: Updated criteria for allowing local admin privileges on workstations Robert Berlinger (Feb 26)