Re: Local Admin Rights

[Gary Flynn <flynngn () JMU EDU>]

Brian Fetcie wrote:
> Good morning...
>
> On our campus, when a computer is configured for a faculty or staff
> member the user's account is setup as a local admin.  Needless to say
> that this has caused a great deal of grief in the fight against viruses
> and spyware. We have a number of users who feel that the computer is
> their's to do with as they wish, irrelevant of what the asset tag may
> say. In the previous semester, our campus was hit with a major IRCbot
> infection. Our lab PCs, which we tightly control, came though
> essentially unscathed. Our faculty and staff PCs were clobbered.
> We are preparing a policy to remove local admin privs from the faculty
> and staff members. The primary justification being an attempt to lessen
> our vulnerability. I'm curious as to what other campuses are doing in
> regards to this issue.
> How did you handle the politics (i.e. the power user, or even average
> user, who are convinced they must have admin privs)?
> I'm interested in any experiences, the good, the bad and the ugly.
> Thank you in advance.


We're looking at that now and haven't come up with any
global solution but I have a few strong opinions. :)

1. This is not an IT problem. This is an organizational management
   problem. A solution must be bought at the top and then "users
   (i.e. employees-gf) who feel that the computer is their's to do
   with as they wish" need to get an attitude adjustment.

   The desktop is an integral part of the information
   infrastructure and should and must be maintained as such.
   The whole idea of a personal computer in a work environment was
   out of date by the late 1980s and we should adjust our policies,
   procedures, and expectations accordingly.

   That is not to say that exceptions will not be necessary but
   I'll bet those cases will be in the single digits percentage
   wise. In the meantime, 90+ percent of the desktop
   resident/accessible information infrastructure is put at
   reduced risk.

2. An 80% transition solution would be to make desktop management
   a marketed service. Sell it on the basis of stability, security,
   ease of use (less manual updating), etc. You could also throw
   free software and/or hardware upgrades into the mix to make
   it even more attractive. Some departments would buy in right
   away. Some departments would be bought in by their department
   heads.

   Proceding this way provides advantages:

   a. It lets the management and support procedures and
      infrastructure be tested on a smaller population.

   b. It has immediate reward in that some desktops will
      immediately be managed without too big a political
      battle.

   c. Over time, comparative data about problems (both pro
      and con) and incidents in the unmanaged and managed
      areas can be shown to senior management. They then can
      make a decision based on risk and benefits.

3. A lot of technical problems can be solved by training. RunAs
   and ACLs can solve many rights problems.

--
Gary Flynn
Security Engineer
James Madison University

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.