Educause Security Discussion mailing list archives
Re: Administrative v/s power user Access for Staff and students
From: Brian Desmond <brian.desmond () MORANTECHNOLOGY COM>
Date: Fri, 6 Mar 2009 13:41:42 -0600
You can also push the ACLs down natively with Group Policy too - there's a File Security section which lets you define arbitrary file/folder ACLs. In any case, Process Monitor from Sysinternals (free) is your best friend for troubleshooting this stuff as like Mike says, it's usually the root cause for apps to not work under limited privs. Thanks, Brian Desmond brian.desmond () morantechnology com c - 312.731.3132 Active Directory, 4th Ed - <http://www.briandesmond.com/ad4/> http://www.briandesmond.com/ad4/ Microsoft MVP - <https://mvp.support.microsoft.com/profile/Brian> https://mvp.support.microsoft.com/profile/Brian From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tupker, Mike Sent: Friday, March 06, 2009 1:11 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Administrative v/s power user Access for Staff and students We have made all of our employees power users. Students in the labs get standard user rights assigned to them. Most admin right issues that I've seen can be fixed by granting write access to an application directory. Is situations like that we have a startup script that will use the cacls.exe command to change directory ACLs. Mike Tupker Systems Administrator Mount Mercy College Office: (319) 363-1323 x1401 Mobile: (319) 538-1644 If you need assistance with an computer issue please contact the helpdesk at x4357 or http://help.mtmercy.edu. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Anand S Malwade Sent: Friday, March 06, 2009 12:32 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Administrative v/s power user Access for Staff and students I was wondering what other universities are doing in limiting administrative access on Desktops and laptops for Staff ? The rationale being as we know that enterprise workstations run as administrator also makes the network vulnerable to malware including viruses, Trojan horses, spyware, adware and unintentional user damage. Malware can exploit a local administrator account's system-level access to damage files, change system configurations, and even transmit confidential data outside of the network. Ensuring that all users run as standard users is the primary way to help mitigate the impact. Has anyone tried giving Power User level access as opposed to full admin rights and if yes what was the overall experience ? Thanks, Anand Anand Malwade Information Security Officer, Seton Hall University,
Current thread:
- Administrative v/s power user Access for Staff and students Anand S Malwade (Mar 06)
- <Possible follow-ups>
- Re: Administrative v/s power user Access for Staff and students Tupker, Mike (Mar 06)
- Re: Administrative v/s power user Access for Staff and students Brian Desmond (Mar 06)
- Re: Administrative v/s power user Access for Staff and students Stanclift, Michael (Mar 06)
- Re: Administrative v/s power user Access for Staff and students Gary Flynn (Mar 06)
- Re: Administrative v/s power user Access for Staff and students Brian K . Doré (Mar 06)
- Re: Administrative v/s power user Access for Staff and students Kevin Shalla (Mar 09)