Re: Local Admin Rights

[Jeff Giacobbe <giacobbej () MAIL MONTCLAIR EDU>]

Brian-
(all)

We addressed this problem in two ways when migrating from Windows 2000
to XP. Our solution was not OS specific, it was just a convenient time
to introduce the new policy along with XP.

Our first step was to give the faculty/staff member a "PowerUser+" local
account on their machine.  Basically this is the standard Windows
PowerUser account security profile with the following added rights:

  Member of "Backup Operator" group
  Member of "Network Config" group

These extra group permissions allow a PowerUser to backup their system
and change network config settings on a laptop when roaming between
campus and home wireless networks, for example. The permissions also
allow the user to install additional software on the machine (nothing
that required Admin rights or runs as a service) so that's a caveat for
those wishing to truly lock down the machine. Our goal with the
PowerUser+ account was to allow our faculty/staff to do most of the
non-Admin stuff that they needed or wanted to do without IT intervention.

The second step was the creation of an "Admin Rights SLA" document that
all users wishing to have full Admin rights must sign.  The SLA
basically absolves IT or the local tech support team from having to
provide the same level of troubleshooting and repair service as we do to
users without Admin rights. The SLA was put together as a collaborative
effort between central IT and the distributed technical support staff of
the various colleges.

If anyone would like a copy of our Admin Rights SLA, please contact me
off-list.

Regards,

Jeff Giacobbe
Director of Systems, Security, Networking
Montclair State University


Brian Fetcie wrote:
> Good morning...
>
> On our campus, when a computer is configured for a faculty or staff
> member the user's account is setup as a local admin.  Needless to say
> that this has caused a great deal of grief in the fight against viruses
> and spyware. We have a number of users who feel that the computer is
> their's to do with as they wish, irrelevant of what the asset tag may
> say. In the previous semester, our campus was hit with a major IRCbot
> infection. Our lab PCs, which we tightly control, came though
> essentially unscathed. Our faculty and staff PCs were clobbered.
> We are preparing a policy to remove local admin privs from the faculty
> and staff members. The primary justification being an attempt to lessen
> our vulnerability. I'm curious as to what other campuses are doing in
> regards to this issue.
> How did you handle the politics (i.e. the power user, or even average
> user, who are convinced they must have admin privs)?
> I'm interested in any experiences, the good, the bad and the ugly.
> Thank you in advance.
>
> Brian
>
> --
> ------------------------------
> Brian Fetcie
> Systems/Security Administrator
>  --------------------------
> SUNY Canton
> 34 Cornell Drive
> Canton, NY 13617
>  --------------------------
> fetcieb () canton edu
> ------------------------------
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.