Educause Security Discussion mailing list archives

Re: Windows local admin in a .edu environment

From: David Kovarik <david-kovarik () NORTHWESTERN EDU>
Date: Wed, 30 Jan 2008 15:10:04 -0600

Historically, there's been little (if any) control over local admin rights,
though we have been promoting controls for sometime now.  We've seen a move
to more managed environments (e.g., no admin rights, scheduled tasks for
updates, configured firewalls, etc.) by several schools and departments, but
have a long way to go.  Reasons for conversion vary: acceptance that admin
rights are not always necessary, tired of fixing PCs that are "broken" by
non-tech users, users are handling sensitive data, they are post-incident
and want to minimize potential of another, realize the cost benefits of
managed environment, attempting PCI compliance, response to audit findings,
etc.
Last year, I ran a panel discussion (4 participants from the managed
environments) who touted the advantages - seem to lend credence to the
arguments for managed environments as the audience was hearing it from their
peers and not the security guy.  And the panelists appeared to have taken on
some elevated status as they had taken measures to better protect their
environment.  Since then, we've seen two more business units move in a
managed direction.  Generally, it remains a struggle but I'll take whatever
progress/improvement comes our way.   Lastly, I'm planning to hold another
panel session in a few months, with 1-2 from the original session and a
couple of recent converts.
- Dave

Dave Kovarik, ISS/C
Northwestern University
Office: (847) 467-5930

-----Original Message-----
From: Halliday,Paul [mailto:Paul.Halliday () NSCC CA]
Sent: Wednesday, January 30, 2008 11:15 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Windows local admin in a .edu environment

I am looking for insight (pros and cons) on the issue of granting local
admin rights to faculty and staff in a .edu setting. Let's assume that the
staff and faculty have direct access to core administrative systems and
portals like Sharepoint and Peoplesoft.

I have never thought of this argument as subjective (am I just being
anal?) but apparently I was wrong. I would love to hear the general
consensus on this issue. I am especially interested in what others in .edu
are doing.

Thanks.

-----
Paul Halliday

Current thread:

Windows local admin in a .edu environment Halliday,Paul (Jan 30)
- <Possible follow-ups>
- Re: Windows local admin in a .edu environment David Kovarik (Jan 30)
- Re: Windows local admin in a .edu environment Hull, Dave (Jan 30)
- Re: Windows local admin in a .edu environment Frank T. Shylkofski (Jan 30)
- Re: Windows local admin in a .edu environment Eric Case (Jan 30)
- Re: Windows local admin in a .edu environment Halliday,Paul (Jan 31)
- Re: Windows local admin in a .edu environment Gary Flynn (Jan 31)
- Re: Windows local admin in a .edu environment Jim Dillon (Jan 31)
- Re: Windows local admin in a .edu environment Steven Alexander (Jan 31)
- Re: Windows local admin in a .edu environment Ozzie Paez (Jan 31)
- Re: Windows local admin in a .edu environment Curt Wilson (Jan 31)