Educause Security Discussion mailing list archives
Re: Windows local admin in a .edu environment
From: Gary Flynn <flynngn () JMU EDU>
Date: Thu, 31 Jan 2008 12:00:35 -0500
Halliday,Paul wrote:
I am looking for insight (pros and cons) on the issue of granting local admin rights to faculty and staff in a .edu setting. Let's assume that the staff and faculty have direct access to core administrative systems and portals like Sharepoint and Peoplesoft. I have never thought of this argument as subjective (am I just being anal?) but apparently I was wrong. I would love to hear the general consensus on this issue. I am especially interested in what others in .edu are doing.
We're working toward getting people to use regular user accounts for daily activities. Its all purely voluntary and self-supported at this point though our desktop services folks now create both regular and administrative accounts on every laptop computer they set up. I believe a significant number of IT staff are operating their computers using regular user accounts as are some of the more sensitive and progressive administrative areas. We do not have a schedule for removing access to the local administrator accounts. In fact, we encourage keeping them if it means the operator will use a regular account for day to day use. Eric's statement, "when you switch from supporting to managing the desktops it takes a different IT skill set" is right on target. And managing is necessary in today's environment as the desktop is just as much or more a critical component in the information infrastructure as databases, ERPs, and networks. They're also probably the primary weak link in the security chain right now. The main roadblock for removing administrative access is support capabilities. If a support organization can effectively deliver the following, very few operators need administrator access: 1) Manage the change. Perform business process analysis and provide related training on regular account use and how to work around problem applications and tasks. The hurdles of change, confusion, and fear are probably the most significant problems for most people, not the landing point on the other side. 2) Training on when and how to log a support call. 3) Timely response to support calls requesting administrator level tasks be done. Add a little operator cooperation and the non-administrative environment should be low impact and sustainable for most people. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Windows local admin in a .edu environment Halliday,Paul (Jan 30)
- <Possible follow-ups>
- Re: Windows local admin in a .edu environment David Kovarik (Jan 30)
- Re: Windows local admin in a .edu environment Hull, Dave (Jan 30)
- Re: Windows local admin in a .edu environment Frank T. Shylkofski (Jan 30)
- Re: Windows local admin in a .edu environment Eric Case (Jan 30)
- Re: Windows local admin in a .edu environment Halliday,Paul (Jan 31)
- Re: Windows local admin in a .edu environment Gary Flynn (Jan 31)
- Re: Windows local admin in a .edu environment Jim Dillon (Jan 31)
- Re: Windows local admin in a .edu environment Steven Alexander (Jan 31)
- Re: Windows local admin in a .edu environment Ozzie Paez (Jan 31)
- Re: Windows local admin in a .edu environment Curt Wilson (Jan 31)