Educause Security Discussion mailing list archives
Re: Local Admin Rights
From: Jeff Giacobbe <giacobbej () MAIL MONTCLAIR EDU>
Date: Tue, 15 Mar 2005 15:11:41 -0500
Brian- (all) We addressed this problem in two ways when migrating from Windows 2000 to XP. Our solution was not OS specific, it was just a convenient time to introduce the new policy along with XP. Our first step was to give the faculty/staff member a "PowerUser+" local account on their machine. Basically this is the standard Windows PowerUser account security profile with the following added rights: Member of "Backup Operator" group Member of "Network Config" group These extra group permissions allow a PowerUser to backup their system and change network config settings on a laptop when roaming between campus and home wireless networks, for example. The permissions also allow the user to install additional software on the machine (nothing that required Admin rights or runs as a service) so that's a caveat for those wishing to truly lock down the machine. Our goal with the PowerUser+ account was to allow our faculty/staff to do most of the non-Admin stuff that they needed or wanted to do without IT intervention. The second step was the creation of an "Admin Rights SLA" document that all users wishing to have full Admin rights must sign. The SLA basically absolves IT or the local tech support team from having to provide the same level of troubleshooting and repair service as we do to users without Admin rights. The SLA was put together as a collaborative effort between central IT and the distributed technical support staff of the various colleges. If anyone would like a copy of our Admin Rights SLA, please contact me off-list. Regards, Jeff Giacobbe Director of Systems, Security, Networking Montclair State University Brian Fetcie wrote:
Good morning... On our campus, when a computer is configured for a faculty or staff member the user's account is setup as a local admin. Needless to say that this has caused a great deal of grief in the fight against viruses and spyware. We have a number of users who feel that the computer is their's to do with as they wish, irrelevant of what the asset tag may say. In the previous semester, our campus was hit with a major IRCbot infection. Our lab PCs, which we tightly control, came though essentially unscathed. Our faculty and staff PCs were clobbered. We are preparing a policy to remove local admin privs from the faculty and staff members. The primary justification being an attempt to lessen our vulnerability. I'm curious as to what other campuses are doing in regards to this issue. How did you handle the politics (i.e. the power user, or even average user, who are convinced they must have admin privs)? I'm interested in any experiences, the good, the bad and the ugly. Thank you in advance. Brian -- ------------------------------ Brian Fetcie Systems/Security Administrator -------------------------- SUNY Canton 34 Cornell Drive Canton, NY 13617 -------------------------- fetcieb () canton edu ------------------------------ ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Local Admin Rights Brian Fetcie (Mar 15)
- <Possible follow-ups>
- Re: Local Admin Rights Jacobson, James (Mar 15)
- Re: Local Admin Rights Michelle Mueller (Mar 15)
- Re: Local Admin Rights Gary Flynn (Mar 15)
- Re: Local Admin Rights Matt Kirchhoff (Mar 15)
- Re: Local Admin Rights Brian Fetcie (Mar 15)
- Re: Local Admin Rights Jeff Giacobbe (Mar 15)
- Re: Local Admin Rights Krulewitch, Sean (Mar 28)