Educause Security Discussion mailing list archives

Re: Windows local admin in a .edu environment

From: "Hull, Dave" <dphull () KU EDU>
Date: Wed, 30 Jan 2008 16:09:04 -0600

I inherited a shop where the previous Director stripped Admin rights
from the users before I arrived. I've found a few holdouts, but for the
most part everyone runs as a regular user, not even power user. My staff
and I run as regular users, relying on Run As or logging out and logging
in as Admin when necessary.

We've had to use Sysinternals' ProcessMonitor to ferret out permissions
issues on registry keys and files for a few pieces of poorly designed
software, but for the most part things just work.

For less than a handful of people, I've created secondary accounts with
admin privileges and told them if they need to be admin, they can use
Run As or log out and log back in, but they should not run as admin on a
daily basis. I monitor their usage to make sure the admin use does not
become routine.

I have had some IT folks from other departments tell me that what we're
doing in our department doesn't scale up because they would have to
spend lots of time running around installing software for people. I've
found the opposite is true, I spend much less time putting out fires
caused by an ignorant user running as admin and so I have time to
actually provide assistance when it's needed.

--
Dave Hull, CISSP, GCIH, GREM, SSP-MPA, CHFI 
Director of Technology
KU School of Architecture & Urban Planning
Tel. 785.864.2629
Fax  785.864.5393
        
"The free world says that software is the embodiment of knowledge about
technology, which needs to be free in the same way that mathematics is
free."
-- Eben Moglen, Software Freedom Law Center
        
 

-----Original Message-----
From: Halliday,Paul [mailto:Paul.Halliday () NSCC CA] 
Sent: Wednesday, January 30, 2008 11:15 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Windows local admin in a .edu environment

I am looking for insight (pros and cons) on the issue of granting
local admin rights to faculty and staff in a .edu setting. Let's
assume that the staff and faculty have direct access to core
administrative systems and portals like Sharepoint and Peoplesoft.

I have never thought of this argument as subjective (am I just being
anal?) but apparently I was wrong. I would love to hear the general
consensus on this issue. I am especially interested in what others in
.edu are doing.

Thanks.

-----
Paul Halliday

Current thread:

Windows local admin in a .edu environment Halliday,Paul (Jan 30)
- <Possible follow-ups>
- Re: Windows local admin in a .edu environment David Kovarik (Jan 30)
- Re: Windows local admin in a .edu environment Hull, Dave (Jan 30)
- Re: Windows local admin in a .edu environment Frank T. Shylkofski (Jan 30)
- Re: Windows local admin in a .edu environment Eric Case (Jan 30)
- Re: Windows local admin in a .edu environment Halliday,Paul (Jan 31)
- Re: Windows local admin in a .edu environment Gary Flynn (Jan 31)
- Re: Windows local admin in a .edu environment Jim Dillon (Jan 31)
- Re: Windows local admin in a .edu environment Steven Alexander (Jan 31)
- Re: Windows local admin in a .edu environment Ozzie Paez (Jan 31)
- Re: Windows local admin in a .edu environment Curt Wilson (Jan 31)