Educause Security Discussion mailing list archives
Re: Windows local admin in a .edu environment
From: David Kovarik <david-kovarik () NORTHWESTERN EDU>
Date: Wed, 30 Jan 2008 15:10:04 -0600
Historically, there's been little (if any) control over local admin rights, though we have been promoting controls for sometime now. We've seen a move to more managed environments (e.g., no admin rights, scheduled tasks for updates, configured firewalls, etc.) by several schools and departments, but have a long way to go. Reasons for conversion vary: acceptance that admin rights are not always necessary, tired of fixing PCs that are "broken" by non-tech users, users are handling sensitive data, they are post-incident and want to minimize potential of another, realize the cost benefits of managed environment, attempting PCI compliance, response to audit findings, etc. Last year, I ran a panel discussion (4 participants from the managed environments) who touted the advantages - seem to lend credence to the arguments for managed environments as the audience was hearing it from their peers and not the security guy. And the panelists appeared to have taken on some elevated status as they had taken measures to better protect their environment. Since then, we've seen two more business units move in a managed direction. Generally, it remains a struggle but I'll take whatever progress/improvement comes our way. Lastly, I'm planning to hold another panel session in a few months, with 1-2 from the original session and a couple of recent converts. - Dave Dave Kovarik, ISS/C Northwestern University Office: (847) 467-5930 -----Original Message----- From: Halliday,Paul [mailto:Paul.Halliday () NSCC CA] Sent: Wednesday, January 30, 2008 11:15 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Windows local admin in a .edu environment I am looking for insight (pros and cons) on the issue of granting local admin rights to faculty and staff in a .edu setting. Let's assume that the staff and faculty have direct access to core administrative systems and portals like Sharepoint and Peoplesoft. I have never thought of this argument as subjective (am I just being anal?) but apparently I was wrong. I would love to hear the general consensus on this issue. I am especially interested in what others in .edu are doing. Thanks. ----- Paul Halliday
Current thread:
- Windows local admin in a .edu environment Halliday,Paul (Jan 30)
- <Possible follow-ups>
- Re: Windows local admin in a .edu environment David Kovarik (Jan 30)
- Re: Windows local admin in a .edu environment Hull, Dave (Jan 30)
- Re: Windows local admin in a .edu environment Frank T. Shylkofski (Jan 30)
- Re: Windows local admin in a .edu environment Eric Case (Jan 30)
- Re: Windows local admin in a .edu environment Halliday,Paul (Jan 31)
- Re: Windows local admin in a .edu environment Gary Flynn (Jan 31)
- Re: Windows local admin in a .edu environment Jim Dillon (Jan 31)
- Re: Windows local admin in a .edu environment Steven Alexander (Jan 31)
- Re: Windows local admin in a .edu environment Ozzie Paez (Jan 31)
- Re: Windows local admin in a .edu environment Curt Wilson (Jan 31)