Educause Security Discussion mailing list archives

Re: Windows Local Administrative Privilges

From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Mon, 10 Apr 2006 08:54:05 +1200

Harold Winshel wrote:

At 10:49 AM 4/9/2006, you wrote:
At 10:37 -0400 04/09/2006, Harold Winshel wrote:

Let me reframe the question:  but, rather, are you better off with a
general policy where most users either can or cannot have admin
access.


I think most places are better off with not allowing Admin by default.

My experience is that a lot of users, if not most, want the
admin access.


That's partly a legacy of the fact that many Windows apps still
require Admin
access even to run.

Agreed.

I would probably lean toward a policy where, by
default, the user does not have the admin and you then allow it on a
case basis (hopefully very few cases).


I think just about all of us would agree that's a good place to start
from a
security perspective.  Being able to actually implement it depends a
lot on
the environment.  For example, how decentralized is your support
infrastructure?  Do some departments/schools not even have local support
available?  Who's going to be in charge of handling the actual
Administrator
accounts and passwords?  Do you need to set up actual domain
controllers and
force everyone to log into the domain?  etc etc etc

Again, good point.  Let me be more specific.  I'm my scenario, it's an
environment where there is a facility for tech support (regardiess of
whether it is centralized or not)  infrastructure, but we still would
not want to automatically give out the admin account.  The fallout is
that that users need to wait for us to respond when they want an
application installed.  The benefit is that we better control what is
running on the machines.

--
Julian Y. Koh                         <mailto:kohster () northwestern edu>
Network Engineer                                   <phone:847-467-5780>
Telecommunications and Network Services         Northwestern University
PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html>

Harold Winshel
Computing and Instructional Technologies
Faculty of Arts & Sciences
Rutgers University, Camden Campus
311 N. 5th Street, Room B36 Armitage Hall
Camden NJ 08102
(856) 225-6669 (O)

Current thread:

Windows Local Administrative Privilges Harold Winshel (Apr 09)
- <Possible follow-ups>
- Re: Windows Local Administrative Privilges Julian Y. Koh (Apr 09)
- Re: Windows Local Administrative Privilges Harold Winshel (Apr 09)
- Re: Windows Local Administrative Privilges Julian Y. Koh (Apr 09)
- Re: Windows Local Administrative Privilges Harold Winshel (Apr 09)
- Re: Windows Local Administrative Privilges Russell Fulton (Apr 09)
- Re: Windows Local Administrative Privilges Parker, Ron (Apr 10)
- Re: Windows Local Administrative Privilges Daniel R Jones (Apr 10)