Educause Security Discussion mailing list archives
Re: User Privilege Levels.
From: Themba Flowers <themba.flowers () YALE EDU>
Date: Mon, 23 Feb 2009 12:43:02 -0500
[Note: This writing is not reflective of Yale University Policy] For my own consulting work on the side, I generally give users standard User privilege through the AD. However after explaining to users why running a machine with Admin is generally a bad idea (indeed, I don't run as Admin on my own box), I will inform of them of a machine(Non-AD) account that exists for admin, installs, etc "only." This machine account is a logged account which can be revoked as necessary. This has worked well. In the event that there is a program which needs admin to run on a regular basis - I can wade in with FileMon and RegMon as necessary. More often than not, the workarounds for any given SW title are already known and don't take a lot of resources to fix. I find that after the WARNING spiel, users are usually happy to have access to an admin account even though in practice it is rarely required. On the other hand, there is always that one user who uses the admin account constantly and/or is a pain about having to switch accounts. Since they tend to be more advanced users anyway, I'll give them full admin with the caveat that they'll get little to no support. Themba Flowers *-*--*----*--------*----------------* Social Science Research Services & Educational Technology http://www.yale.edu/statlab Yale University Academic Media & Technology 140 Prospect Street, Room 100 New Haven, CT 06520 t.203-432-6931 f.203-432-7564 http://twitter.com/statlab On Feb 23, 2009, at 12:24 PM, Karen Stopford wrote:
In my last place of employment (NOT higher ed.) we implemented least privilege on the desktop and had a few squirrely applications like the one you mentioned. We found that Filemon and Regmon, two free tools from Microsoft, were invaluable aids in determining specific file and registry key permissions needed by the applications. Of course, this can add quite a bit of administrative work if these apps are "one-offs" as Group Policy settings aren't the most efficient way to set these permissions. If you can get away with it, I agree that Power User is a better alternative than full Administrator rights. Karen C. Karen Stopford, CISSP Associate Executive Officer for I.T. Security CT State University System 39 Woodland Street Hartford, CT 06105 (860) 493-0116 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU ] On Behalf Of Stanclift, Michael Sent: Monday, February 23, 2009 11:37 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] User Privilege Levels. Nearly all users, except for IT staff, are given Power User access to "their" machines, and general user access to others. We enforce this through group policy so that our techs cannot give them access and forget to take it away, they have to get approval from our the network staff. There are a handful of users with regular administrative access to their machines, but they must agree that if their machines get boogered up that they're basically on their own in getting stuff backup and reset. We also make them go through our NAC (CCA) where as normal users we do not (since they don't have admin access to fix it.) We only do this after trying all other options and it's mostly a case of a poorly written piece of software they "must" use for their jobs. (Our athletics department has a few stats programs that require this.) We'll reimage it for them but beyond that it's pretty much out of our control. We only have done this for users we know understand basic computer security. I've been trying to convince the powers that be to implement some type of mandatory security training program for all staff users. Michael Stanclift Network Analyst Rockhurst University http://help.rockhurst.edu (816) 501-4231 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU ] On Behalf Of Matthew Gracie Sent: Monday, February 23, 2009 9:46 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] User Privilege Levels. We're in the midst of planning a rollout to Active Directory for our end user authentication, and so we'll be joining all college-owned end user computers to the domain. I'm curious about privilege levels. What sort of access are other institutions giving their users to their computers? * Are your users granted Administrative power over their own machines? * Do you have a uniform level for all employees, or does it vary by position? * Can an employee move between schemes, applying for greater access after passing a security training test or some similar mechanism? Thanks for any replies. Feel free to respond off-list, if you like. --Matt -- Matt Gracie (716) 888-8378 Information Security Administrator graciem () canisius edu Canisius College ITS Buffalo, NY http://www2.canisius.edu/~graciem/graciem_public_key.gpg
Current thread:
- User Privilege Levels. Matthew Gracie (Feb 23)
- <Possible follow-ups>
- Re: User Privilege Levels. Karen Stopford (Feb 23)
- Re: User Privilege Levels. Tupker, Mike (Feb 23)
- Re: User Privilege Levels. Stanclift, Michael (Feb 23)
- Re: User Privilege Levels. Karen Stopford (Feb 23)
- Re: User Privilege Levels. Themba Flowers (Feb 23)
- Re: User Privilege Levels. Daly, Douglas (Feb 24)
- Re: User Privilege Levels. Jim Pollard (Feb 24)
- Re: User Privilege Levels. Karen Stopford (Feb 24)
- Re: User Privilege Levels. Basgen, Brian (Feb 24)
- Re: User Privilege Levels. Gary Flynn (Feb 24)
- Re: User Privilege Levels. Spransy, Derek (Feb 24)
- Re: User Privilege Levels. Karen Stopford (Feb 24)
- Re: User Privilege Levels. Stanclift, Michael (Feb 24)
- Re: User Privilege Levels. Harold Winshel (Feb 24)
- Re: User Privilege Levels. Gary Flynn (Feb 25)
(Thread continues...)