Educause Security Discussion mailing list archives

Re: User Privilege Levels.

From: Themba Flowers <themba.flowers () YALE EDU>
Date: Mon, 23 Feb 2009 12:43:02 -0500

[Note: This writing is not reflective of Yale University Policy]

For my own consulting work on the side, I generally give users
standard User privilege through the AD.
However after explaining to users why running a machine with Admin is
generally a bad idea (indeed, I don't run as Admin on my own box), I
will inform of them of a machine(Non-AD) account that exists for
admin, installs, etc "only." This machine account is a logged account
which can be revoked as necessary.  This has worked well.  In the
event that there is a program which needs admin to run on a regular
basis - I can wade in with FileMon and RegMon as necessary. More often
than not, the workarounds for any given SW title are already known and
don't take a lot of resources to fix.
I find that after the WARNING spiel, users are usually happy to have
access to an admin account even though in practice it is rarely
required. On the other hand, there is always that one user who uses
the admin account constantly and/or is a pain about having to switch
accounts.  Since they tend to be more advanced users anyway, I'll give
them full admin with the caveat that they'll get little to no support.


Themba Flowers
*-*--*----*--------*----------------*
Social Science Research Services &
Educational Technology
http://www.yale.edu/statlab
Yale University Academic Media & Technology
140 Prospect Street, Room 100
New Haven, CT 06520
t.203-432-6931     f.203-432-7564
http://twitter.com/statlab


On Feb 23, 2009, at 12:24 PM, Karen Stopford wrote:

In my last place of employment (NOT higher ed.) we implemented least
privilege on the desktop and had a few squirrely applications like
the one you mentioned.  We found that Filemon and Regmon, two free
tools from Microsoft, were invaluable aids in determining specific
file and registry key permissions needed by the applications.  Of
course, this can add quite a bit of administrative work if these
apps are "one-offs" as Group Policy settings aren't the most
efficient way to set these permissions.

If you can get away with it, I agree that Power User is a better
alternative than full Administrator rights.
Karen

C. Karen Stopford, CISSP
Associate Executive Officer for I.T. Security
CT State University System
39 Woodland Street
Hartford, CT  06105
(860) 493-0116


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU
] On Behalf Of Stanclift, Michael
Sent: Monday, February 23, 2009 11:37 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] User Privilege Levels.

Nearly all users, except for IT staff, are given Power User access
to "their" machines, and general user access to others. We enforce
this through group policy so that our techs cannot give them access
and forget to take it away, they have to get approval from our the
network staff.

There are a handful of users with regular administrative access to
their machines, but they must agree that if their machines get
boogered up that they're basically on their own in getting stuff
backup and reset. We also make them go through our NAC (CCA) where
as normal users we do not (since they don't have admin access to fix
it.)

We only do this after trying all other options and it's mostly a
case of a poorly written piece of software they "must" use for their
jobs. (Our athletics department has a few stats programs that
require this.) We'll reimage it for them but beyond that it's pretty
much out of our control. We only have done this for users we know
understand basic computer security.

I've been trying to convince the powers that be to implement some
type of mandatory security training program for all staff users.

Michael Stanclift
Network Analyst
Rockhurst University

http://help.rockhurst.edu
(816) 501-4231

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU
] On Behalf Of Matthew Gracie
Sent: Monday, February 23, 2009 9:46 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] User Privilege Levels.

We're in the midst of planning a rollout to Active Directory for our
end
user authentication, and so we'll be joining all college-owned end
user
computers to the domain. I'm curious about privilege levels. What sort
of access are other institutions giving their users to their
computers?

* Are your users granted Administrative power over their own machines?

* Do you have a uniform level for all employees, or does it vary by
position?

* Can an employee move between schemes, applying for greater access
after passing a security training test or some similar mechanism?

Thanks for any replies. Feel free to respond off-list, if you like.

--Matt

--
Matt Gracie                         (716) 888-8378
Information Security Administrator  graciem () canisius edu
Canisius College ITS                Buffalo, NY
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

Current thread:

User Privilege Levels. Matthew Gracie (Feb 23)
- <Possible follow-ups>
- Re: User Privilege Levels. Karen Stopford (Feb 23)
- Re: User Privilege Levels. Tupker, Mike (Feb 23)
- Re: User Privilege Levels. Stanclift, Michael (Feb 23)
- Re: User Privilege Levels. Karen Stopford (Feb 23)
- Re: User Privilege Levels. Themba Flowers (Feb 23)
- Re: User Privilege Levels. Daly, Douglas (Feb 24)
- Re: User Privilege Levels. Jim Pollard (Feb 24)
- Re: User Privilege Levels. Karen Stopford (Feb 24)
- Re: User Privilege Levels. Basgen, Brian (Feb 24)
- Re: User Privilege Levels. Gary Flynn (Feb 24)
- Re: User Privilege Levels. Spransy, Derek (Feb 24)
- Re: User Privilege Levels. Karen Stopford (Feb 24)
- Re: User Privilege Levels. Stanclift, Michael (Feb 24)
- Re: User Privilege Levels. Harold Winshel (Feb 24)
- Re: User Privilege Levels. Gary Flynn (Feb 25)

(Thread continues...)