Educause Security Discussion mailing list archives

Re: User Privilege Levels.

From: "Stanclift, Michael" <michael.stanclift () ROCKHURST EDU>
Date: Tue, 24 Feb 2009 19:20:40 -0600

[rant] I have a lot of issues when faculty claims "academic freedom" for a need to gain access to a system or to have a 
process changed for them. It usually results in me being less responsive to their request as they "pull rank" on me. If 
they only knew the things we let them get away with that wouldn't fly in the "real world" ;) [/rant]

Michael Stanclift
Network Analyst
Rockhurst University

http://help.rockhurst.edu
(816) 501-4231
________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Karen Stopford 
[stopfordk () CT EDU]
Sent: Tuesday, February 24, 2009 4:10 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] User Privilege Levels.

All great responses so far!  I should also add that in our case, since we are a state university system, we are subject 
to rules governing software installations on equipment purchased with state funds - so there is a compliance risk here 
as well.

Just saw this on the NIST site and it seemed timely if anyone wants additional ammunition to support a least privilege 
approach:
http://www.nist.org/news.php?extend.266

Karen

C. Karen Stopford, CISSP
Associate Executive Officer for I.T. Security
CT State University System
39 Woodland Street
Hartford, CT  06105
(860) 493-0116


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Spransy, 
Derek
Sent: Tuesday, February 24, 2009 5:03 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] User Privilege Levels.

A year ago we (College of Arts & Sciences at Emory) started the process of not granting administrative rights to users 
by default, and came up with an exception process for faculty and staff that have a legitimate need for them.  We've 
had some faculty complain about infringements on their academic freedom, (or a similar argument) but there actually 
hasn't been a lot of that.  I've found that most faculty understand the need when it's explained to them.  Having an 
exception process gives us the means to provide faculty with other alternatives, and it shows that we're willing to 
work with them.

I maintain metrics that track the number of security incidents that we have per month and how much each of those 
incidents is costing us.  I've also begun tracking whether or not possessing administrative rights contributed to a 
security incident, and not surprisingly, it does in the vast majority of cases. Faculty are used to analyzing data, and 
having those kinds of figures helps to explain the method behind the madness.

-Derek

===========================
Derek Spransy
IT Security Lead
Emory College of Arts & Sciences
derek.spransy () emory edu
404-712-8798
===========================



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Karen 
Stopford
Sent: Tuesday, February 24, 2009 4:32 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] User Privilege Levels.

Have any of you run into resistance when trying to reduce privileges, where faculty claims "academic freedom?"  Not a 
technical question but a political one.  I am just wondering how you might have handled it.  You can email me offline 
if you would like.
Thanks,
Karen

C. Karen Stopford, CISSP
Associate Executive Officer for I.T. Security
CT State University System
39 Woodland Street
Hartford, CT  06105
(860) 493-0116


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jim 
Pollard
Sent: Tuesday, February 24, 2009 12:12 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] User Privilege Levels.

I can only speak from the department level but what we do is give everyone
general user access and temporarily grant administrator access if necessary
using group policy.  If administrator access is absolutely insisted upon we
may permit it with the caveat that the user is responsible for ensuring
security and receives limited support.

~Jim

Jim Pollard
Computer Systems Development Specialist
Department of Biomedical Engineering
University of Texas at Austin
it () bme utexas edu
512.789.4345

"The intelligent man is capable of overcoming problems and difficulties the
wise man would have avoided in the first place."

Rabbi Yusef Becher


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew Gracie
Sent: Monday, February 23, 2009 9:46 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] User Privilege Levels.

We're in the midst of planning a rollout to Active Directory for our end
user authentication, and so we'll be joining all college-owned end user
computers to the domain. I'm curious about privilege levels. What sort
of access are other institutions giving their users to their computers?

* Are your users granted Administrative power over their own machines?

* Do you have a uniform level for all employees, or does it vary by
position?

* Can an employee move between schemes, applying for greater access
after passing a security training test or some similar mechanism?

Thanks for any replies. Feel free to respond off-list, if you like.

--Matt

--
Matt Gracie                         (716) 888-8378
Information Security Administrator  graciem () canisius edu
Canisius College ITS                Buffalo, NY
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information.  If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).

Current thread:

Re: User Privilege Levels., (continued)
- Re: User Privilege Levels. Stanclift, Michael (Feb 23)
- Re: User Privilege Levels. Karen Stopford (Feb 23)
- Re: User Privilege Levels. Themba Flowers (Feb 23)
- Re: User Privilege Levels. Daly, Douglas (Feb 24)
- Re: User Privilege Levels. Jim Pollard (Feb 24)
- Re: User Privilege Levels. Karen Stopford (Feb 24)
- Re: User Privilege Levels. Basgen, Brian (Feb 24)
- Re: User Privilege Levels. Gary Flynn (Feb 24)
- Re: User Privilege Levels. Spransy, Derek (Feb 24)
- Re: User Privilege Levels. Karen Stopford (Feb 24)
- Re: User Privilege Levels. Stanclift, Michael (Feb 24)
- Re: User Privilege Levels. Harold Winshel (Feb 24)
- Re: User Privilege Levels. Gary Flynn (Feb 25)
- Re: User Privilege Levels. Spransy, Derek (Feb 25)
- Re: User Privilege Levels. John Hoffoss (Mar 18)