Re: Windows local admin in a .edu environment

[Jim Dillon <Jim.Dillon () COLORADO EDU>]

Paul,

I too am a fan of Least Privilege as a core principal.  I've worked in
environments on either end of that spectrum and have found problems with
both, but the Least Privilege managed service typically ends up with
better service.

There is a caution here however.  Even least privilege cannot impede the
business from achieving its mission or objective, and you will find that
not all users "use" their equipment the same way.  Good, manageable
exception policies, and additional services and support are costs that
go along with managed services.  Not only is the IT staffing and
management different, the administrative service levels must typically
be faster-better.  Here is a simple example.

For years I worked as an auditor, and unlike many jobs, auditors move, a
lot, to different campuses and sites.  When our machines were locked
down with no administrative access, and we were at another site or
campus, often our supporting group could not serve us at that location.
Any modifications that were needed to allow us to use our machines for
security testing, or even just to obtain local printing during our two
week stay, were beyond us to remedy, and there was no help available.
There is a lot to say about the organizational decisions that create
that problem set (e.g. each campus operating so independently as to not
be able to serve the needs of the larger entity) but we constantly ended
up in a situation where we could not: 1) Install the analysis tools
needed to do our network monitoring 2) Connect to local resources 3)
Gain access to standard resources at the home office.  The problem was
that the least privilege principal didn't accurately reflect the
variation in job requirements.  

I've typically solved this in part by asking that our machines have a
local-admin account that is not used for regular connectivity, but for
allowing those distributed sites' IT staff members enough access through
that account to accommodate our needs while on the road.  Once granted
this method, as mentioned by other comments, served, but it was an
"after the pain" event, not a timely, supportive business practice.  Yes
our boxes were as a result more "risky", but it was the nature of the
job requirement, not a support of personal preference.  A good solution
might have had some standard image reloading or virtual machines that
could have allowed us a "safer" and more controlled approach, but in the
early years that wasn't an option, and in the later years the managed
services was too tightly wound to help find the better solution.

So my cautionary note is that "LEAST" is not binary, nor is it static -
wrapping your management model around that is a difficult proposition,
and costly.  The end result is better, I'm not challenging the
principle, and there are multiple paths to an adequate result (not just
the method I demonstrated - there could have been better solutions).
The typical downfall of managed services is a tendency to immediately
assume "LEAST" is the standard load, and often it is not.  It is a
difficult proposition to manage the needed exceptions, thus there are
additional staffing and skill requirements to be considered.

Best regards,

Jim

-----------University of Colorado--------------
Jim Dillon, CISA, CISSP
Program Manager
Administrative Systems and Data Services
jim.dillon () colorado edu        303-735-5682
-------------------Boulder------------------------


-----Original Message-----
From: Halliday,Paul [mailto:Paul.Halliday () NSCC CA] 
Sent: Thursday, January 31, 2008 8:20 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Windows local admin in a .edu environment

Judging by the replies to this thread it still appears that this issue
is quite subjective. I am having a hard time understanding why.

I love this statement and can relate to it:

"My point is, when you switch from supporting to managing the desktops
it takes a different IT skill set."

But then I see something like (this email also went to
security-basics () securityfocus com):

"Unfortunately in academic environments it is difficult not to give
users administrative rights, however it is relatively simple to use
group polices to limit the affect they can have on their machines"

Tailoring a group policy to mitigate the damage an administrative user
can do requires a "skill set" but seems somewhat fruitless. Is this
perhaps a ditch effort to work within unrealistic constraints and still
be able to say "We tried"?

Off list input:

"Beyond all that, you place great liability on both yourself and your
organization if you grant everyone admin rights. In a legal battle (at
least from the year of Computer / technology law that i've studied) you
could be held liable for actions taken against the system if things go
south (bad student, disgruntled employee etc)"

So our Cons look something like this: 

1) We have lost accountability.

2) We have significantly increased our exposure to localized threats.

3) We have made targeted attacks obvious and potentially devastating. 

Could it also be said that the acceptance of this practice incurs an
unacceptable level of risk that may violate our legal obligations?

Thanks for the input.

Clip history...