Educause Security Discussion mailing list archives
Re: [External] [SECURITY] Local Admin Access
From: Rich Graves <rcgraves () GMAIL COM>
Date: Wed, 7 Apr 2021 13:43:14 -0500
I think I’ve seen this same admin password discussion before. It’s like déjà vu all over again. Yeah, under no circumstances should there be any sort of global shared admin password on end user workstations, especially not one with remote login rights. 10 or so years ago, I struck the balance of letting people have a secondary local (not domain) no-remote-login-allowed, no-outbound-network-access password for admin elevation, which we recommended reusing as a pre-boot bitlocker pin, so they only need to remember two. Threat modeling at the time said this was ok. Now, with hardware and user expectations arguing against pre-boot pins and this xkcd cartoon https://xkcd.com/1200/ I am actually more OK with letting users have admin rights. Provided, and this is very important, that you have some sort of auditing of especially software installation and execution. This could be as simple as native publish/subscribe AppLocker allow/deny and/or process accounting events, which we started feeding into our SIEM like 10 years ago or whatever. If you have the budget and the threat level, a “real” EDR is cool. Just make sure that you audit the audit system, because EDR can be used to run arbitrary code! A very solid application distribution system and application streaming and so on may obviate the need for admin rights, but dream on. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Re: Local Admin Access, (continued)
- Re: Local Admin Access Spiars, Vince (Apr 07)
- Re: Local Admin Access Shahra Meshkaty (Apr 07)
- Re: Local Admin Access Frank Barton (Apr 07)
- Re: Local Admin Access Curt Kappenman (Apr 07)
- Re: Local Admin Access Andy Leffler (Apr 07)
- Re: Local Admin Access Scott Stoops (Apr 07)
- Re: [External] [SECURITY] Local Admin Access Gregg, Christopher S. (Apr 07)
- Re: [External] [SECURITY] Local Admin Access Andy Leffler (Apr 07)
- Re: [External] [SECURITY] Local Admin Access Kevin Ledbetter (Apr 07)
- Re: [External] [SECURITY] Local Admin Access John Ramsey (Apr 07)
- Re: [External] [SECURITY] Local Admin Access Rich Graves (Apr 07)
- Re: Local Admin Access Madl, Michael (May 09)
- Re: Local Admin Access Clark Gaylord (May 09)
- Message not available
- Re: Local Admin Access Clark Gaylord (May 14)
- Re: Local Admin Access Lovaas,Steven (May 14)
- Re: Local Admin Access Clark Gaylord (May 14)
- Re: Local Admin Access Clark Gaylord (May 14)
- Re: Local Admin Access Spiars, Vince (Apr 07)
- Re: Local Admin Access Steven Alexander (May 14)
- Re: Local Admin Access Henry Wojteczko (May 16)