Educause Security Discussion mailing list archives

Re: User Privilege Levels.

From: "Daly, Douglas" <DDALY () NYMC EDU>
Date: Tue, 24 Feb 2009 09:01:59 -0500

Matt,

We do not grant end users administrative privileges. If they need
elevated privileges, help desk will remote desktop to the computer,
elevate privileges or assist with installation and then demote
privileges. Allowing administrative access to end users is a recipe for
major help desk headaches. If an end user insists (usually a faculty
researcher) on having administrative access to "his" computer, we will
not join it to the domain and assistance stops at the network jack. All
college owned computers must be running our campus anti-virus
application (Trend Micro here). 

We went from Novell to Windows many years ago but the one thing I would
have done differently is I would have created OU's for the various
groups, e.g. students, faculty, staff. That would have allowed us to
customize the password policy and made printing customization easier.
Back when we made the change, we didn't have a policy requiring regular
password changes. 

We don't restrict access to computers to one (or a small group of)
user(s). That's not a bad idea, but it does require a lot of management
time. Restricting administrative computers to just the members of the
department will enhance security. 

One last item... We have a common, local administrator password that is
known only to help desk. Local accounts at the workstations are not
created so everyone using the computer authenticates to the domain. 

Regards,
Douglas Daly
Associate Director,
Technical Services
New York Medical College
Valhalla, NY  10595
 
914.594.4961
 
-----Original Message-----
From: Matthew Gracie [mailto:graciem () CANISIUS EDU] 
Sent: Monday, February 23, 2009 10:46 AM
Subject: User Privilege Levels.


We're in the midst of planning a rollout to Active Directory for our end
user authentication, and so we'll be joining all college-owned end user
computers to the domain. I'm curious about privilege levels. What sort
of access are other institutions giving their users to their computers?

* Are your users granted Administrative power over their own machines?

* Do you have a uniform level for all employees, or does it vary by
position?

* Can an employee move between schemes, applying for greater access
after passing a security training test or some similar mechanism?

Thanks for any replies. Feel free to respond off-list, if you like.

--Matt

-- 
Matt Gracie                         (716) 888-8378
Information Security Administrator  graciem () canisius edu
Canisius College ITS                Buffalo, NY
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

Current thread:

User Privilege Levels. Matthew Gracie (Feb 23)
- <Possible follow-ups>
- Re: User Privilege Levels. Karen Stopford (Feb 23)
- Re: User Privilege Levels. Tupker, Mike (Feb 23)
- Re: User Privilege Levels. Stanclift, Michael (Feb 23)
- Re: User Privilege Levels. Karen Stopford (Feb 23)
- Re: User Privilege Levels. Themba Flowers (Feb 23)
- Re: User Privilege Levels. Daly, Douglas (Feb 24)
- Re: User Privilege Levels. Jim Pollard (Feb 24)
- Re: User Privilege Levels. Karen Stopford (Feb 24)
- Re: User Privilege Levels. Basgen, Brian (Feb 24)
- Re: User Privilege Levels. Gary Flynn (Feb 24)
- Re: User Privilege Levels. Spransy, Derek (Feb 24)
- Re: User Privilege Levels. Karen Stopford (Feb 24)
- Re: User Privilege Levels. Stanclift, Michael (Feb 24)
- Re: User Privilege Levels. Harold Winshel (Feb 24)
- Re: User Privilege Levels. Gary Flynn (Feb 25)
- Re: User Privilege Levels. Spransy, Derek (Feb 25)

(Thread continues...)