Educause Security Discussion mailing list archives
Re: Windows local admin in a .edu environment
From: Jim Dillon <Jim.Dillon () COLORADO EDU>
Date: Thu, 31 Jan 2008 10:05:32 -0700
Paul, I too am a fan of Least Privilege as a core principal. I've worked in environments on either end of that spectrum and have found problems with both, but the Least Privilege managed service typically ends up with better service. There is a caution here however. Even least privilege cannot impede the business from achieving its mission or objective, and you will find that not all users "use" their equipment the same way. Good, manageable exception policies, and additional services and support are costs that go along with managed services. Not only is the IT staffing and management different, the administrative service levels must typically be faster-better. Here is a simple example. For years I worked as an auditor, and unlike many jobs, auditors move, a lot, to different campuses and sites. When our machines were locked down with no administrative access, and we were at another site or campus, often our supporting group could not serve us at that location. Any modifications that were needed to allow us to use our machines for security testing, or even just to obtain local printing during our two week stay, were beyond us to remedy, and there was no help available. There is a lot to say about the organizational decisions that create that problem set (e.g. each campus operating so independently as to not be able to serve the needs of the larger entity) but we constantly ended up in a situation where we could not: 1) Install the analysis tools needed to do our network monitoring 2) Connect to local resources 3) Gain access to standard resources at the home office. The problem was that the least privilege principal didn't accurately reflect the variation in job requirements. I've typically solved this in part by asking that our machines have a local-admin account that is not used for regular connectivity, but for allowing those distributed sites' IT staff members enough access through that account to accommodate our needs while on the road. Once granted this method, as mentioned by other comments, served, but it was an "after the pain" event, not a timely, supportive business practice. Yes our boxes were as a result more "risky", but it was the nature of the job requirement, not a support of personal preference. A good solution might have had some standard image reloading or virtual machines that could have allowed us a "safer" and more controlled approach, but in the early years that wasn't an option, and in the later years the managed services was too tightly wound to help find the better solution. So my cautionary note is that "LEAST" is not binary, nor is it static - wrapping your management model around that is a difficult proposition, and costly. The end result is better, I'm not challenging the principle, and there are multiple paths to an adequate result (not just the method I demonstrated - there could have been better solutions). The typical downfall of managed services is a tendency to immediately assume "LEAST" is the standard load, and often it is not. It is a difficult proposition to manage the needed exceptions, thus there are additional staffing and skill requirements to be considered. Best regards, Jim -----------University of Colorado-------------- Jim Dillon, CISA, CISSP Program Manager Administrative Systems and Data Services jim.dillon () colorado edu 303-735-5682 -------------------Boulder------------------------ -----Original Message----- From: Halliday,Paul [mailto:Paul.Halliday () NSCC CA] Sent: Thursday, January 31, 2008 8:20 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Windows local admin in a .edu environment Judging by the replies to this thread it still appears that this issue is quite subjective. I am having a hard time understanding why. I love this statement and can relate to it: "My point is, when you switch from supporting to managing the desktops it takes a different IT skill set." But then I see something like (this email also went to security-basics () securityfocus com): "Unfortunately in academic environments it is difficult not to give users administrative rights, however it is relatively simple to use group polices to limit the affect they can have on their machines" Tailoring a group policy to mitigate the damage an administrative user can do requires a "skill set" but seems somewhat fruitless. Is this perhaps a ditch effort to work within unrealistic constraints and still be able to say "We tried"? Off list input: "Beyond all that, you place great liability on both yourself and your organization if you grant everyone admin rights. In a legal battle (at least from the year of Computer / technology law that i've studied) you could be held liable for actions taken against the system if things go south (bad student, disgruntled employee etc)" So our Cons look something like this: 1) We have lost accountability. 2) We have significantly increased our exposure to localized threats. 3) We have made targeted attacks obvious and potentially devastating. Could it also be said that the acceptance of this practice incurs an unacceptable level of risk that may violate our legal obligations? Thanks for the input. Clip history...
Current thread:
- Windows local admin in a .edu environment Halliday,Paul (Jan 30)
- <Possible follow-ups>
- Re: Windows local admin in a .edu environment David Kovarik (Jan 30)
- Re: Windows local admin in a .edu environment Hull, Dave (Jan 30)
- Re: Windows local admin in a .edu environment Frank T. Shylkofski (Jan 30)
- Re: Windows local admin in a .edu environment Eric Case (Jan 30)
- Re: Windows local admin in a .edu environment Halliday,Paul (Jan 31)
- Re: Windows local admin in a .edu environment Gary Flynn (Jan 31)
- Re: Windows local admin in a .edu environment Jim Dillon (Jan 31)
- Re: Windows local admin in a .edu environment Steven Alexander (Jan 31)
- Re: Windows local admin in a .edu environment Ozzie Paez (Jan 31)
- Re: Windows local admin in a .edu environment Curt Wilson (Jan 31)