Educause Security Discussion mailing list archives

Re: User Privilege Levels.

From: Karen Stopford <stopfordk () CT EDU>
Date: Mon, 23 Feb 2009 11:09:31 -0500

We are a University system, so mileage varies by institution.  One of the Universities unreservedly gave all employees 
administrator privileges on their machines and now regrets it, primarily because of unauthorized software installations 
and configuration changes that either interfere with maintenance activities, or cause an uptick in Help Desk calls.

Other sites have restricted these rights to certain individuals that may have a legitimate need to install software 
(mostly IT and Academic Computing) and have not reported so many of these issues.  Special training in IT policy is 
required for these people.  However, there is constant debate over what the faculty needs to be effective, and the 
"academic freedom" argument is frequently raised.  One of the creative approaches we are looking at is to allow faculty 
to have this access on restricted networks attached to different services levels to reduce potential impact on other 
network users, to simplify asset management, and to provide priority service to users of production applications.
Karen

C. Karen Stopford, CISSP
Associate Executive Officer for I.T. Security
CT State University System
39 Woodland Street
Hartford, CT  06105
(860) 493-0116

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew 
Gracie
Sent: Monday, February 23, 2009 10:46 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] User Privilege Levels.

We're in the midst of planning a rollout to Active Directory for our end
user authentication, and so we'll be joining all college-owned end user
computers to the domain. I'm curious about privilege levels. What sort
of access are other institutions giving their users to their computers?

* Are your users granted Administrative power over their own machines?

* Do you have a uniform level for all employees, or does it vary by
position?

* Can an employee move between schemes, applying for greater access
after passing a security training test or some similar mechanism?

Thanks for any replies. Feel free to respond off-list, if you like.

--Matt

--
Matt Gracie                         (716) 888-8378
Information Security Administrator  graciem () canisius edu
Canisius College ITS                Buffalo, NY
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

Current thread:

User Privilege Levels. Matthew Gracie (Feb 23)
- <Possible follow-ups>
- Re: User Privilege Levels. Karen Stopford (Feb 23)
- Re: User Privilege Levels. Tupker, Mike (Feb 23)
- Re: User Privilege Levels. Stanclift, Michael (Feb 23)
- Re: User Privilege Levels. Karen Stopford (Feb 23)
- Re: User Privilege Levels. Themba Flowers (Feb 23)
- Re: User Privilege Levels. Daly, Douglas (Feb 24)
- Re: User Privilege Levels. Jim Pollard (Feb 24)
- Re: User Privilege Levels. Karen Stopford (Feb 24)
- Re: User Privilege Levels. Basgen, Brian (Feb 24)
- Re: User Privilege Levels. Gary Flynn (Feb 24)
- Re: User Privilege Levels. Spransy, Derek (Feb 24)

(Thread continues...)