Re: User Privilege Levels.

[Karen Stopford <stopfordk () CT EDU>]

In my last place of employment (NOT higher ed.) we implemented least privilege on the desktop and had a few squirrely 
applications like the one you mentioned.  We found that Filemon and Regmon, two free tools from Microsoft, were 
invaluable aids in determining specific file and registry key permissions needed by the applications.  Of course, this 
can add quite a bit of administrative work if these apps are "one-offs" as Group Policy settings aren't the most 
efficient way to set these permissions.

If you can get away with it, I agree that Power User is a better alternative than full Administrator rights.
Karen

C. Karen Stopford, CISSP
Associate Executive Officer for I.T. Security
CT State University System
39 Woodland Street
Hartford, CT  06105
(860) 493-0116


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Stanclift, Michael
Sent: Monday, February 23, 2009 11:37 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] User Privilege Levels.

Nearly all users, except for IT staff, are given Power User access to "their" machines, and general user access to 
others. We enforce this through group policy so that our techs cannot give them access and forget to take it away, they 
have to get approval from our the network staff.

There are a handful of users with regular administrative access to their machines, but they must agree that if their 
machines get boogered up that they're basically on their own in getting stuff backup and reset. We also make them go 
through our NAC (CCA) where as normal users we do not (since they don't have admin access to fix it.)

We only do this after trying all other options and it's mostly a case of a poorly written piece of software they "must" 
use for their jobs. (Our athletics department has a few stats programs that require this.) We'll reimage it for them 
but beyond that it's pretty much out of our control. We only have done this for users we know understand basic computer 
security.

I've been trying to convince the powers that be to implement some type of mandatory security training program for all 
staff users.

Michael Stanclift
Network Analyst
Rockhurst University

http://help.rockhurst.edu
(816) 501-4231

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew 
Gracie
Sent: Monday, February 23, 2009 9:46 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] User Privilege Levels.

We're in the midst of planning a rollout to Active Directory for our end
user authentication, and so we'll be joining all college-owned end user
computers to the domain. I'm curious about privilege levels. What sort
of access are other institutions giving their users to their computers?

* Are your users granted Administrative power over their own machines?

* Do you have a uniform level for all employees, or does it vary by
position?

* Can an employee move between schemes, applying for greater access
after passing a security training test or some similar mechanism?

Thanks for any replies. Feel free to respond off-list, if you like.

--Matt

--
Matt Gracie                         (716) 888-8378
Information Security Administrator  graciem () canisius edu
Canisius College ITS                Buffalo, NY
http://www2.canisius.edu/~graciem/graciem_public_key.gpg