Re: Windows local admin in a .edu environment

["Frank T. Shylkofski" <frank.shylkofski () KEYSTONE EDU>]

Paul,
Here at Keystone College all domain users have only had Low Level User
Access since 2004.  We also have been doing what Dave describes below.
As he says, it may take some time for software setup but the lack of
other problems have been well worth it.  I would like to say that this
rule is never broken but we have had to break it from time to time on a
temporary basis due to poor software design.  

I personally have found Aaron Margosis' Non-Admin WebLog an excellent
resource for justification and and explanation of running computers as a
Low Level User.  Here is the link to his Blog:
http://blogs.msdn.com/aaron_margosis/default.aspx  
There are many posts that help with LUA justification but this is one of
my favorites:
http://blogs.msdn.com/aaron_margosis/archive/2006/06/02/614226.aspx 

On Wed, 2008-01-30 at 16:09 -0600, Hull, Dave wrote:

> I inherited a shop where the previous Director stripped Admin rights
> from the users before I arrived. I've found a few holdouts, but for the
> most part everyone runs as a regular user, not even power user. My staff
> and I run as regular users, relying on Run As or logging out and logging
> in as Admin when necessary.
>
> We've had to use Sysinternals' ProcessMonitor to ferret out permissions
> issues on registry keys and files for a few pieces of poorly designed
> software, but for the most part things just work.
>
> For less than a handful of people, I've created secondary accounts with
> admin privileges and told them if they need to be admin, they can use
> Run As or log out and log back in, but they should not run as admin on a
> daily basis. I monitor their usage to make sure the admin use does not
> become routine.
>
> I have had some IT folks from other departments tell me that what we're
> doing in our department doesn't scale up because they would have to
> spend lots of time running around installing software for people. I've
> found the opposite is true, I spend much less time putting out fires
> caused by an ignorant user running as admin and so I have time to
> actually provide assistance when it's needed.
>
> --
> Dave Hull, CISSP, GCIH, GREM, SSP-MPA, CHFI 
> Director of Technology
> KU School of Architecture & Urban Planning
> Tel. 785.864.2629
> Fax  785.864.5393
>       
> "The free world says that software is the embodiment of knowledge about
> technology, which needs to be free in the same way that mathematics is
> free."
> -- Eben Moglen, Software Freedom Law Center
>       
>  
>
> -----Original Message-----
> From: Halliday,Paul [mailto:Paul.Halliday () NSCC CA] 
> Sent: Wednesday, January 30, 2008 11:15 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Windows local admin in a .edu environment
>
> I am looking for insight (pros and cons) on the issue of granting
> local admin rights to faculty and staff in a .edu setting. Let's
> assume that the staff and faculty have direct access to core
> administrative systems and portals like Sharepoint and Peoplesoft.
>
> I have never thought of this argument as subjective (am I just being
> anal?) but apparently I was wrong. I would love to hear the general
> consensus on this issue. I am especially interested in what others in
> .edu are doing.
>
> Thanks.
>
> -----
> Paul Halliday


________________________________________________________________________

Frank T. Shylkofski
Network Administrator

Keystone College
One College Green
La Plume, PA 18440

Attachment: signature.asc
Description: This is a digitally signed message part