Educause Security Discussion mailing list archives
Re: Windows local admin in a .edu environment
From: "Halliday,Paul" <Paul.Halliday () NSCC CA>
Date: Thu, 31 Jan 2008 11:20:24 -0400
Judging by the replies to this thread it still appears that this issue is quite subjective. I am having a hard time understanding why. I love this statement and can relate to it: "My point is, when you switch from supporting to managing the desktops it takes a different IT skill set." But then I see something like (this email also went to security-basics () securityfocus com): "Unfortunately in academic environments it is difficult not to give users administrative rights, however it is relatively simple to use group polices to limit the affect they can have on their machines" Tailoring a group policy to mitigate the damage an administrative user can do requires a "skill set" but seems somewhat fruitless. Is this perhaps a ditch effort to work within unrealistic constraints and still be able to say "We tried"? Off list input: "Beyond all that, you place great liability on both yourself and your organization if you grant everyone admin rights. In a legal battle (at least from the year of Computer / technology law that i've studied) you could be held liable for actions taken against the system if things go south (bad student, disgruntled employee etc)" So our Cons look something like this: 1) We have lost accountability. 2) We have significantly increased our exposure to localized threats. 3) We have made targeted attacks obvious and potentially devastating. Could it also be said that the acceptance of this practice incurs an unacceptable level of risk that may violate our legal obligations? Thanks for the input. -----Original Message----- From: Eric Case [mailto:ecase () EMAIL ARIZONA EDU] Sent: Thursday, January 31, 2008 1:50 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Windows local admin in a .edu environment At 04:09 PM 1/30/2008 -0600, Hull, Dave wrote:
I have had some IT folks from other departments tell me that what we're doing in our department doesn't scale up because they would have to spend lots of time running around installing software for people. I've found the opposite is true, I spend much less time putting out fires caused by an ignorant user running as admin and so I have time to actually provide assistance when it's needed.
In the sprite of full disclosure, I am a huge proponent of least privilege. As Dave and other have stated, the investment in end user education will pay dividends in the areas of security and general IT management and maintenance. However, you might not expect the need to invest in your IT staff. That is what other IT departments mean when they say it "doesn't scale up because they would have to spend lots of time running around installing software for people." Their IT staff needs to learn to do many of those tasks remotely, even without remote desktop. Do they have the skills to push software, patches, upgrades to a desktop without going to the desktop? (Remote desktop doesn't count.) Do they have the tools, like psexec (they better, it's free), LANDesk, SMS, ZENworks, etc. to manage 80-100 desktops / help desk staff? Do you have the patience to manage your end users expectations? Take them from "I could have done it by now!" to "a four hour turnaround is ok." My point is, when you switch from supporting to managing* the desktops it takes a different IT skill set. -Eric *You cannot manage users with admin access anymore then you can herd cats (see <http://www.youtube.com/watch?v=Pk7yqlTMvp8> for more details). Eric Case, CISSP <ecase () Arizona edu> Information Security Officer College of Engineering <http://www.Engr.Arizona.edu> 1127 E James E. Rogers Way Room 200 Tucson, AZ 85721-0020 Mobile Phone 520-275-6436
Current thread:
- Windows local admin in a .edu environment Halliday,Paul (Jan 30)
- <Possible follow-ups>
- Re: Windows local admin in a .edu environment David Kovarik (Jan 30)
- Re: Windows local admin in a .edu environment Hull, Dave (Jan 30)
- Re: Windows local admin in a .edu environment Frank T. Shylkofski (Jan 30)
- Re: Windows local admin in a .edu environment Eric Case (Jan 30)
- Re: Windows local admin in a .edu environment Halliday,Paul (Jan 31)
- Re: Windows local admin in a .edu environment Gary Flynn (Jan 31)
- Re: Windows local admin in a .edu environment Jim Dillon (Jan 31)
- Re: Windows local admin in a .edu environment Steven Alexander (Jan 31)
- Re: Windows local admin in a .edu environment Ozzie Paez (Jan 31)
- Re: Windows local admin in a .edu environment Curt Wilson (Jan 31)