Re: Windows local admin in a .edu environment

[Steven Alexander <alexander.s () MCCD EDU>]

I think it is fruitless to limit administrative users with group policy.
One of the biggest problems is that administrative users expose
themselves to a lot of attacks just by browsing the web, reading email
and using P2P software.  Software restriction policies can help, but it
would be very hard to catalogue all of the software that needs to be
prohibited or run without privilege and the policies can be
inadvertently circumvented if something is installed to an unusual
location.  

An administrative user can, in some cases at least, circumvent group
policy by editing the registry (or some malware can do so on his
behalf).  You should be able to control this by restricting registry
access, but . . . I think you're much better off just taking away admin
rights.  Adding some restrictions does help a little, but you're never
going to plug all of the leaks.

If you're going to take away admin rights, it's important that upper
management understand the basic reasoning behind the policy and are
willing to support it.  There's no point to the rule if everyone is an
exception.  

Regards,

Steven Alexander Jr.
Merced College


-----Original Message-----
From: Halliday,Paul [mailto:Paul.Halliday () NSCC CA] 
Sent: Thursday, January 31, 2008 7:20 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Windows local admin in a .edu environment

<snip>

"Unfortunately in academic environments it is difficult not to give
users administrative rights, however it is relatively simple to use
group polices to limit the affect they can have on their machines"

Tailoring a group policy to mitigate the damage an administrative user
can do requires a "skill set" but seems somewhat fruitless. Is this
perhaps a ditch effort to work within unrealistic constraints and still
be able to say "We tried"?
<snip>