Educause Security Discussion mailing list archives
Re: Windows local admin in a .edu environment
From: Steven Alexander <alexander.s () MCCD EDU>
Date: Thu, 31 Jan 2008 10:08:19 -0800
I think it is fruitless to limit administrative users with group policy. One of the biggest problems is that administrative users expose themselves to a lot of attacks just by browsing the web, reading email and using P2P software. Software restriction policies can help, but it would be very hard to catalogue all of the software that needs to be prohibited or run without privilege and the policies can be inadvertently circumvented if something is installed to an unusual location. An administrative user can, in some cases at least, circumvent group policy by editing the registry (or some malware can do so on his behalf). You should be able to control this by restricting registry access, but . . . I think you're much better off just taking away admin rights. Adding some restrictions does help a little, but you're never going to plug all of the leaks. If you're going to take away admin rights, it's important that upper management understand the basic reasoning behind the policy and are willing to support it. There's no point to the rule if everyone is an exception. Regards, Steven Alexander Jr. Merced College -----Original Message----- From: Halliday,Paul [mailto:Paul.Halliday () NSCC CA] Sent: Thursday, January 31, 2008 7:20 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Windows local admin in a .edu environment <snip> "Unfortunately in academic environments it is difficult not to give users administrative rights, however it is relatively simple to use group polices to limit the affect they can have on their machines" Tailoring a group policy to mitigate the damage an administrative user can do requires a "skill set" but seems somewhat fruitless. Is this perhaps a ditch effort to work within unrealistic constraints and still be able to say "We tried"? <snip>
Current thread:
- Windows local admin in a .edu environment Halliday,Paul (Jan 30)
- <Possible follow-ups>
- Re: Windows local admin in a .edu environment David Kovarik (Jan 30)
- Re: Windows local admin in a .edu environment Hull, Dave (Jan 30)
- Re: Windows local admin in a .edu environment Frank T. Shylkofski (Jan 30)
- Re: Windows local admin in a .edu environment Eric Case (Jan 30)
- Re: Windows local admin in a .edu environment Halliday,Paul (Jan 31)
- Re: Windows local admin in a .edu environment Gary Flynn (Jan 31)
- Re: Windows local admin in a .edu environment Jim Dillon (Jan 31)
- Re: Windows local admin in a .edu environment Steven Alexander (Jan 31)
- Re: Windows local admin in a .edu environment Ozzie Paez (Jan 31)
- Re: Windows local admin in a .edu environment Curt Wilson (Jan 31)