Re: Windows local admin in a .edu environment

[Ozzie Paez <ozpaez () SPRYNET COM>]

Paul,
My experiences, although not in academia, have been mixed and highly
dependent on the training and culture of the target group.  Two things that
I would recommend is to do a quick cost-benefit and justification analysis.

1.  What type of user wants it and why?  This is not as simple as it sounds
because in many of the target populations that I been involved with, only
some of the members wanted or needed it.  In addition, many of those who
'needed' admin rights, actually needed some rights to do a few things that
could be done with more granular security grants.
2.  Before you roll it out, I would recommend doing a pilot.  In a number of
cases that I remember, granting people admin rights drove support needs much
higher because the target population got into trouble doing things that they
did not know how to do or their implications.  Finally, loosing a common
configuration base can also drive support times higher because when someone
calls, you really don't know that they may have done to their system.

Hope it helps,

Ozzie Paez
SSE/CISSP
Denver Infragard
303-332-5363


-----Original Message-----
From: Gary Flynn [mailto:flynngn () JMU EDU]
Sent: Thursday, January 31, 2008 10:01 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Windows local admin in a .edu environment


Halliday,Paul wrote:
> I am looking for insight (pros and cons) on the issue of granting
> local admin rights to faculty and staff in a .edu setting. Let's
> assume that the staff and faculty have direct access to core
> administrative systems and portals like Sharepoint and Peoplesoft.
>
> I have never thought of this argument as subjective (am I just being
> anal?) but apparently I was wrong. I would love to hear the general
> consensus on this issue. I am especially interested in what others in
> .edu are doing.


We're working toward getting people to use regular user accounts
for daily activities. Its all purely voluntary and self-supported
at this point though our desktop services folks now create both
regular and administrative accounts on every laptop computer they
set up. I believe a significant number of IT staff are operating
their computers using regular user accounts as are some of the
more sensitive and progressive administrative areas.

We do not have a schedule for removing access to the local
administrator accounts. In fact, we encourage keeping them if it
means the operator will use a regular account for day to day use.

Eric's statement, "when you switch from supporting to managing the
desktops it takes a different IT skill set" is right on target.
And managing is necessary in today's environment as the desktop is
just as much or more a critical component in the information
infrastructure as databases, ERPs, and networks. They're also
probably the primary weak link in the security chain right now.

The main roadblock for removing administrative access is support
capabilities. If a support organization can effectively deliver
the following, very few operators need administrator access:

1) Manage the change. Perform business process analysis and provide
    related training on regular account use and how to work around
    problem applications and tasks. The hurdles of change, confusion,
    and fear are probably the most significant problems for most
    people, not the landing point on the other side.
2) Training on when and how to log a support call.
3) Timely response to support calls requesting administrator
    level tasks be done.

Add a little operator cooperation and the non-administrative
environment should be low impact and sustainable for most
people.


--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security