Educause Security Discussion mailing list archives

Re: Windows local admin in a .edu environment

From: Gary Flynn <flynngn () JMU EDU>
Date: Thu, 31 Jan 2008 12:00:35 -0500

Halliday,Paul wrote:

I am looking for insight (pros and cons) on the issue of granting
local admin rights to faculty and staff in a .edu setting. Let's
assume that the staff and faculty have direct access to core
administrative systems and portals like Sharepoint and Peoplesoft.

I have never thought of this argument as subjective (am I just being
anal?) but apparently I was wrong. I would love to hear the general
consensus on this issue. I am especially interested in what others in
.edu are doing.



We're working toward getting people to use regular user accounts
for daily activities. Its all purely voluntary and self-supported
at this point though our desktop services folks now create both
regular and administrative accounts on every laptop computer they
set up. I believe a significant number of IT staff are operating
their computers using regular user accounts as are some of the
more sensitive and progressive administrative areas.

We do not have a schedule for removing access to the local
administrator accounts. In fact, we encourage keeping them if it
means the operator will use a regular account for day to day use.

Eric's statement, "when you switch from supporting to managing the
desktops it takes a different IT skill set" is right on target.
And managing is necessary in today's environment as the desktop is
just as much or more a critical component in the information
infrastructure as databases, ERPs, and networks. They're also
probably the primary weak link in the security chain right now.

The main roadblock for removing administrative access is support
capabilities. If a support organization can effectively deliver
the following, very few operators need administrator access:

1) Manage the change. Perform business process analysis and provide
   related training on regular account use and how to work around
   problem applications and tasks. The hurdles of change, confusion,
   and fear are probably the most significant problems for most
   people, not the landing point on the other side.
2) Training on when and how to log a support call.
3) Timely response to support calls requesting administrator
   level tasks be done.

Add a little operator cooperation and the non-administrative
environment should be low impact and sustainable for most
people.


--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Current thread:

Windows local admin in a .edu environment Halliday,Paul (Jan 30)
- <Possible follow-ups>
- Re: Windows local admin in a .edu environment David Kovarik (Jan 30)
- Re: Windows local admin in a .edu environment Hull, Dave (Jan 30)
- Re: Windows local admin in a .edu environment Frank T. Shylkofski (Jan 30)
- Re: Windows local admin in a .edu environment Eric Case (Jan 30)
- Re: Windows local admin in a .edu environment Halliday,Paul (Jan 31)
- Re: Windows local admin in a .edu environment Gary Flynn (Jan 31)
- Re: Windows local admin in a .edu environment Jim Dillon (Jan 31)
- Re: Windows local admin in a .edu environment Steven Alexander (Jan 31)
- Re: Windows local admin in a .edu environment Ozzie Paez (Jan 31)
- Re: Windows local admin in a .edu environment Curt Wilson (Jan 31)