Re: Windows local admin in a .edu environment

["Halliday,Paul" <Paul.Halliday () NSCC CA>]

Judging by the replies to this thread it still appears that this issue
is quite subjective. I am having a hard time understanding why.

I love this statement and can relate to it:

"My point is, when you switch from supporting to managing the desktops
it takes a different IT skill set."

But then I see something like (this email also went to
security-basics () securityfocus com):

"Unfortunately in academic environments it is difficult not to give
users administrative rights, however it is relatively simple to use
group polices to limit the affect they can have on their machines"

Tailoring a group policy to mitigate the damage an administrative user
can do requires a "skill set" but seems somewhat fruitless. Is this
perhaps a ditch effort to work within unrealistic constraints and still
be able to say "We tried"?

Off list input:

"Beyond all that, you place great liability on both yourself and your
organization if you grant everyone admin rights. In a legal battle (at
least from the year of Computer / technology law that i've studied) you
could be held liable for actions taken against the system if things go
south (bad student, disgruntled employee etc)"

So our Cons look something like this: 

1) We have lost accountability.

2) We have significantly increased our exposure to localized threats.

3) We have made targeted attacks obvious and potentially devastating. 

Could it also be said that the acceptance of this practice incurs an
unacceptable level of risk that may violate our legal obligations?

Thanks for the input.

-----Original Message-----
From: Eric Case [mailto:ecase () EMAIL ARIZONA EDU] 
Sent: Thursday, January 31, 2008 1:50 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Windows local admin in a .edu environment

At 04:09 PM 1/30/2008 -0600, Hull, Dave wrote:
> I have had some IT folks from other departments tell me that what we're
> doing in our department doesn't scale up because they would have to
> spend lots of time running around installing software for people. I've
> found the opposite is true, I spend much less time putting out fires
> caused by an ignorant user running as admin and so I have time to
> actually provide assistance when it's needed.

In the sprite of full disclosure, I am a huge proponent of least 
privilege.  As Dave and other have stated, the investment in end user 
education will pay dividends in the areas of security and general IT 
management and maintenance.  However, you might not expect the need 
to invest in your IT staff.

That is what other IT departments mean when they say it "doesn't 
scale up because they would have to
spend lots of time running around installing software for 
people."  Their IT staff needs to learn to do many of those tasks 
remotely, even without remote desktop.  Do they have the skills to 
push software, patches, upgrades to a desktop without going to the 
desktop? (Remote desktop doesn't count.)  Do they have the tools, 
like psexec (they better, it's free), LANDesk, SMS, ZENworks, etc. to 
manage 80-100 desktops / help desk staff?  Do you have the patience 
to manage your end users expectations?  Take them from "I could have 
done it by now!" to "a four hour turnaround is ok."

My point is, when you switch from supporting to managing* the 
desktops it takes a different IT skill set.
-Eric

*You cannot manage users with admin access anymore then you can herd 
cats (see <http://www.youtube.com/watch?v=Pk7yqlTMvp8> for more
details).



Eric Case, CISSP  <ecase () Arizona edu>
Information Security Officer
College of Engineering   <http://www.Engr.Arizona.edu>
1127 E James E. Rogers Way Room 200
Tucson, AZ 85721-0020
Mobile Phone 520-275-6436