Educause Security Discussion mailing list archives
Re: Local Admin Rights
From: Gary Flynn <flynngn () JMU EDU>
Date: Tue, 15 Mar 2005 10:41:33 -0500
Brian Fetcie wrote:
Good morning... On our campus, when a computer is configured for a faculty or staff member the user's account is setup as a local admin. Needless to say that this has caused a great deal of grief in the fight against viruses and spyware. We have a number of users who feel that the computer is their's to do with as they wish, irrelevant of what the asset tag may say. In the previous semester, our campus was hit with a major IRCbot infection. Our lab PCs, which we tightly control, came though essentially unscathed. Our faculty and staff PCs were clobbered. We are preparing a policy to remove local admin privs from the faculty and staff members. The primary justification being an attempt to lessen our vulnerability. I'm curious as to what other campuses are doing in regards to this issue. How did you handle the politics (i.e. the power user, or even average user, who are convinced they must have admin privs)? I'm interested in any experiences, the good, the bad and the ugly. Thank you in advance.
We're looking at that now and haven't come up with any global solution but I have a few strong opinions. :) 1. This is not an IT problem. This is an organizational management problem. A solution must be bought at the top and then "users (i.e. employees-gf) who feel that the computer is their's to do with as they wish" need to get an attitude adjustment. The desktop is an integral part of the information infrastructure and should and must be maintained as such. The whole idea of a personal computer in a work environment was out of date by the late 1980s and we should adjust our policies, procedures, and expectations accordingly. That is not to say that exceptions will not be necessary but I'll bet those cases will be in the single digits percentage wise. In the meantime, 90+ percent of the desktop resident/accessible information infrastructure is put at reduced risk. 2. An 80% transition solution would be to make desktop management a marketed service. Sell it on the basis of stability, security, ease of use (less manual updating), etc. You could also throw free software and/or hardware upgrades into the mix to make it even more attractive. Some departments would buy in right away. Some departments would be bought in by their department heads. Proceding this way provides advantages: a. It lets the management and support procedures and infrastructure be tested on a smaller population. b. It has immediate reward in that some desktops will immediately be managed without too big a political battle. c. Over time, comparative data about problems (both pro and con) and incidents in the unmanaged and managed areas can be shown to senior management. They then can make a decision based on risk and benefits. 3. A lot of technical problems can be solved by training. RunAs and ACLs can solve many rights problems. -- Gary Flynn Security Engineer James Madison University ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Local Admin Rights Brian Fetcie (Mar 15)
- <Possible follow-ups>
- Re: Local Admin Rights Jacobson, James (Mar 15)
- Re: Local Admin Rights Michelle Mueller (Mar 15)
- Re: Local Admin Rights Gary Flynn (Mar 15)
- Re: Local Admin Rights Matt Kirchhoff (Mar 15)
- Re: Local Admin Rights Brian Fetcie (Mar 15)
- Re: Local Admin Rights Jeff Giacobbe (Mar 15)
- Re: Local Admin Rights Krulewitch, Sean (Mar 28)