Educause Security Discussion mailing list archives
Re: [External] [SECURITY] Local Admin Access
From: John Ramsey <000001cd0b5a1098-dmarc-request () LISTSERV EDUCAUSE EDU>
Date: Wed, 7 Apr 2021 18:42:46 +0000
We are similar but with a couple variations and technical controls added. * Use LAPS to replace all built in admin accounts. * Implemented Least Privilege and removed all local admin accounts. For those with approved business needs (and that is only our Infrastructure and Cybersecurity teams), we create a second "a"/admin account. * Through Azure, we enforce an MFA conditional access policy that requires MFA for all admin accounts EVERY time they are used. * Turned on another conditional access policy for "risky sign ins" where an admin account is denied access if the risk is Medium or High. * We implemented MS Credential Guard to minimize credential loss on endpoints. * We enforce a GPO to wipe out any local admin accounts that might have been added via unauthorized mechanisms or permissions. * Not implemented but about to be: we have a Rules of Behavior attestation that we're having admins sign on what they can/can't do. We already have one in place for users and for remote work. This new one will be for admins. John John Ramsey, Chief Information Security Officer National Student Clearinghouse Certified: CISSP, CISM, PMP, CSSLP, CRISC, CGEIT 2300 Dulles Station Blvd., Suite 220 Herndon, VA 20171 703.742.4428 | studentclearinghouse.org<http://www.studentclearinghouse.org> LinkedIn<https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fnational-student-clearinghouse&data=02%7C01%7Cdugan%40studentclearinghouse.org%7Cc37208aebac64fd76e8508d84f636448%7C8cc02fea054043a688b6069d3eac0119%7C0%7C0%7C637346635590166954&sdata=MdT45I1n7Hwbp8Zlkxlm0wEd0LdLnq5Cpr91ybCEjHw%3D&reserved=0> | Twitter<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fnsclearinghouse&data=02%7C01%7Cdugan%40studentclearinghouse.org%7Cc37208aebac64fd76e8508d84f636448%7C8cc02fea054043a688b6069d3eac0119%7C0%7C0%7C637346635590171933&sdata=idMHM8D4VdMRpIa2H1YUTmwMgC4ZU0L2jqL3VjVNs4s%3D&reserved=0> | Facebook<https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2FNSClearinghouse&data=02%7C01%7Cdugan%40studentclearinghouse.org%7Cc37208aebac64fd76e8508d84f636448%7C8cc02fea054043a688b6069d3eac0119%7C0%7C0%7C637346635590176915&sdata=ILW%2BPdv1fgHooOkbQlkP9ei%2BJOsk7YlCMzYNU572flU%3D&reserved=0> | Blog<https://www.studentclearinghouse.org/nscblog/> | Instagram<https://www.instagram.com/NSClearinghouse/> Serving Education Since 1993 This message is proprietary to the National Student Clearinghouse, is intended only for the addressee and may contain confidential or privileged information. If you receive this message in error, please contact the sender and delete all copies. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Kevin Ledbetter Sent: Wednesday, April 7, 2021 2:29 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] [External] [SECURITY] Local Admin Access EXTERNAL MESSAGE The method Chris Gregg explained, is exactly how we do things. Kevin On Wed, Apr 7, 2021 at 1:24 PM Gregg, Christopher S. <csgregg () stthomas edu<mailto:csgregg () stthomas edu>> wrote: We default to not providing admin access. Where possible we use LAPS for short, one off needs. If a user makes a business case for long term admin access, we grant the access through a second account so the user is not logged in with an account with admin privileges while doing routine work. Thanks, Chris Chris Gregg Associate Vice President of Information Security & Risk Management, CISO Innovation & Technology Services (ITS) csgregg () stthomas edu<mailto:csgregg () stthomas edu> p 1 (651) 962-6265 University of St. Thomas | stthomas.edu<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.stthomas.edu%2F&data=04%7C01%7Cjramsey%40STUDENTCLEARINGHOUSE.ORG%7C1c62ed07509143f655a408d8f9f31427%7C8cc02fea054043a688b6069d3eac0119%7C0%7C1%7C637534169712055272%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4384uH1uRf%2Fhk8xQFSJq4B0SaD3RHuN1QJI3TIluhuE%3D&reserved=0> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Emilie Kunze Sent: Wednesday, April 7, 2021 12:08 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [External] [SECURITY] Local Admin Access We are curious how other institutions handle local admin access for faculty/staff? Thank you, Emilie [https://lh5.googleusercontent.com/8TGVFPsiEyy3_TXFjMAe-lCBkyXwyGevnGxIvGdvcCw3hjOZXmPHYbmZT0pi_gZG5RkwAY-Hr0A_XFdoepzZEFuNDmYnRMqD-9ud3Hyk-fMTIXJpmQ2qt5M1SGUDHcrQ6M_D9CrN]<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Faustincc.edu%2F&data=04%7C01%7Cjramsey%40STUDENTCLEARINGHOUSE.ORG%7C1c62ed07509143f655a408d8f9f31427%7C8cc02fea054043a688b6069d3eac0119%7C0%7C1%7C637534169712055272%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=hKW2R707vqP%2F9jOxsSTEke3%2Bdt13Qs9o3c0tPjq0s2g%3D&reserved=0> Emilie Kunze IT Security Analyst Sr. Acting Information Security Officer Office of Information Technology ekunze () austincc edu<mailto:ekunze () austincc edu> | o 512-223-1157 ACC Information Security<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fit.austincc.edu%2Fdepartments%2Finformation-security%2F&data=04%7C01%7Cjramsey%40STUDENTCLEARINGHOUSE.ORG%7C1c62ed07509143f655a408d8f9f31427%7C8cc02fea054043a688b6069d3eac0119%7C0%7C1%7C637534169712065229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=eLul9XbN1jvSPynhdxoTh2ALai%2FlL6rHM5T6%2FaKhYZw%3D&reserved=0> [https://lh3.googleusercontent.com/3i9G30Fg3ZAiC3mZdiMpvQRradC3TjjCk-pdmKCGV_fzPcMSzNSQE7rf9y9DqgXUxJxxl35vf4rLx4n1kM_DpBsJJjbxv9EcmSmUwSHZdlZxsP2Dc_UngTyQv3pHCl6VhsG5Lfio] <https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Faccinfosec%2F&data=04%7C01%7Cjramsey%40STUDENTCLEARINGHOUSE.ORG%7C1c62ed07509143f655a408d8f9f31427%7C8cc02fea054043a688b6069d3eac0119%7C0%7C1%7C637534169712065229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=GVVV65VLzki6cXd9QaBjJK7Bv07wx7SbPH59XHofjws%3D&reserved=0> [https://lh5.googleusercontent.com/-i9vIi5rgXE71dcrX6-3bGqGXXd0B3y8YE4Q25USF9da5jZ2Slz-TeACb7E26aea5om8HOq35WMxxecKyIBRBaAEAipDnYr8hice3MMzGl1G-l7r9tpbmZ8S_SCmCRsTJ8yWtK3l] <https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FACCInfoSec&data=04%7C01%7Cjramsey%40STUDENTCLEARINGHOUSE.ORG%7C1c62ed07509143f655a408d8f9f31427%7C8cc02fea054043a688b6069d3eac0119%7C0%7C1%7C637534169712075184%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=I4sUpb%2B0C8GT4%2BljuFOit19b12o2Qrk6uWZwoLsoI%2F4%3D&reserved=0> CONFIDENTIAL NOTICE This communication, including any attachments, may contain confidential information and is intended only for the individual or entity to which it is addressed. Any review, dissemination, or copying of this communication by anyone other than the intended recipient is strictly prohibited. If you are not the intended recipient, please contact the sender by reply e-mail, delete and destroy all copies of the original message. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cjramsey%40STUDENTCLEARINGHOUSE.ORG%7C1c62ed07509143f655a408d8f9f31427%7C8cc02fea054043a688b6069d3eac0119%7C0%7C1%7C637534169712075184%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=XNiXjbdpkmIr1u7klU9i%2FzIFrN1%2Bf9U2RBIrALpy0OQ%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cjramsey%40STUDENTCLEARINGHOUSE.ORG%7C1c62ed07509143f655a408d8f9f31427%7C8cc02fea054043a688b6069d3eac0119%7C0%7C1%7C637534169712085140%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=26jjZOaGZzwLEIeNnXvBs59lK2vRNfPAmuqjs4lsDII%3D&reserved=0> -- Kevin Ledbetter Systems Security Administrator Office of Information Technology [https://www.valpo.edu/brand/files/2014/05/Signature_Horiz_Full_web.png] 1700 Chapel Drive Valparaiso, IN 46383 219.464.6191 Staff Employee Advocacy Council Kevin.Ledbetter () valpo edu<mailto:Kevin.Ledbetter () valpo edu> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cjramsey%40STUDENTCLEARINGHOUSE.ORG%7C1c62ed07509143f655a408d8f9f31427%7C8cc02fea054043a688b6069d3eac0119%7C0%7C1%7C637534169712085140%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=26jjZOaGZzwLEIeNnXvBs59lK2vRNfPAmuqjs4lsDII%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Local Admin Access Emilie Kunze (Apr 07)
- Re: Local Admin Access Spiars, Vince (Apr 07)
- Re: Local Admin Access Shahra Meshkaty (Apr 07)
- Re: Local Admin Access Frank Barton (Apr 07)
- Re: Local Admin Access Curt Kappenman (Apr 07)
- Re: Local Admin Access Andy Leffler (Apr 07)
- Re: Local Admin Access Scott Stoops (Apr 07)
- Re: [External] [SECURITY] Local Admin Access Gregg, Christopher S. (Apr 07)
- Re: [External] [SECURITY] Local Admin Access Andy Leffler (Apr 07)
- Re: [External] [SECURITY] Local Admin Access Kevin Ledbetter (Apr 07)
- Re: [External] [SECURITY] Local Admin Access John Ramsey (Apr 07)
- Re: [External] [SECURITY] Local Admin Access Rich Graves (Apr 07)
- Re: Local Admin Access Madl, Michael (May 09)
- Re: Local Admin Access Clark Gaylord (May 09)
- Message not available
- Re: Local Admin Access Clark Gaylord (May 14)
- Re: Local Admin Access Lovaas,Steven (May 14)
- Re: Local Admin Access Clark Gaylord (May 14)
- Re: Local Admin Access Clark Gaylord (May 14)
- Re: Local Admin Access Spiars, Vince (Apr 07)
- Re: Local Admin Access Steven Alexander (May 14)
- Re: Local Admin Access Henry Wojteczko (May 16)