Educause Security Discussion mailing list archives
Re: Windows local admin in a .edu environment
From: "Hull, Dave" <dphull () KU EDU>
Date: Wed, 30 Jan 2008 16:09:04 -0600
I inherited a shop where the previous Director stripped Admin rights from the users before I arrived. I've found a few holdouts, but for the most part everyone runs as a regular user, not even power user. My staff and I run as regular users, relying on Run As or logging out and logging in as Admin when necessary. We've had to use Sysinternals' ProcessMonitor to ferret out permissions issues on registry keys and files for a few pieces of poorly designed software, but for the most part things just work. For less than a handful of people, I've created secondary accounts with admin privileges and told them if they need to be admin, they can use Run As or log out and log back in, but they should not run as admin on a daily basis. I monitor their usage to make sure the admin use does not become routine. I have had some IT folks from other departments tell me that what we're doing in our department doesn't scale up because they would have to spend lots of time running around installing software for people. I've found the opposite is true, I spend much less time putting out fires caused by an ignorant user running as admin and so I have time to actually provide assistance when it's needed. -- Dave Hull, CISSP, GCIH, GREM, SSP-MPA, CHFI Director of Technology KU School of Architecture & Urban Planning Tel. 785.864.2629 Fax 785.864.5393 "The free world says that software is the embodiment of knowledge about technology, which needs to be free in the same way that mathematics is free." -- Eben Moglen, Software Freedom Law Center -----Original Message----- From: Halliday,Paul [mailto:Paul.Halliday () NSCC CA] Sent: Wednesday, January 30, 2008 11:15 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Windows local admin in a .edu environment I am looking for insight (pros and cons) on the issue of granting local admin rights to faculty and staff in a .edu setting. Let's assume that the staff and faculty have direct access to core administrative systems and portals like Sharepoint and Peoplesoft. I have never thought of this argument as subjective (am I just being anal?) but apparently I was wrong. I would love to hear the general consensus on this issue. I am especially interested in what others in .edu are doing. Thanks. ----- Paul Halliday
Current thread:
- Windows local admin in a .edu environment Halliday,Paul (Jan 30)
- <Possible follow-ups>
- Re: Windows local admin in a .edu environment David Kovarik (Jan 30)
- Re: Windows local admin in a .edu environment Hull, Dave (Jan 30)
- Re: Windows local admin in a .edu environment Frank T. Shylkofski (Jan 30)
- Re: Windows local admin in a .edu environment Eric Case (Jan 30)
- Re: Windows local admin in a .edu environment Halliday,Paul (Jan 31)
- Re: Windows local admin in a .edu environment Gary Flynn (Jan 31)
- Re: Windows local admin in a .edu environment Jim Dillon (Jan 31)
- Re: Windows local admin in a .edu environment Steven Alexander (Jan 31)
- Re: Windows local admin in a .edu environment Ozzie Paez (Jan 31)
- Re: Windows local admin in a .edu environment Curt Wilson (Jan 31)