Re: Administrative v/s power user Access for Staff and students

[Gary Flynn <flynngn () JMU EDU>]

Anand S Malwade wrote:
> I was wondering what other universities are doing in limiting 
> administrative access on Desktops and laptops for Staff ?
>
> The rationale being as we know that enterprise workstations run as 
> administrator also makes the network vulnerable to malware including 
> viruses, Trojan horses, spyware, adware and unintentional user damage. 
> Malware can exploit a local administrator account’s system-level access 
> to damage files, change system configurations, and even transmit 
> confidential data outside of the network. Ensuring that all users run as 
> standard users is the primary way to help mitigate the impact.

> Has anyone tried giving Power User level access as opposed to full admin 
> rights and if yes what was the overall experience ?

If I remember correctly, power users have write and modify
rights to the windows directory and the system portions of
the registry. We decided it wouldn't help protect against
compromises very much.

We've converted all of IT and some sensitive administrative
departments to regular user account use for day to day
activities. Some isolated areas have taken the initiative and
converted themselves. Our strategy to proceed further can be
summed up as:

1. Increase the number of application installation packages available
   through SMS.

2. Continue to deploy a supporting infrastructure that enables us
   to better operate, support, and react to changes due to the new
   environment.
   a. Managed desktop environment based on Active Directory domain
   b. Scripting server and repository for automation of solutions
   c. remote control
   d. BeyondTrust Privilege Manager
      - templates and group policies allow defined programs to run with
        administrative privileges under user account and profile
      - "magic folder" where a user can put a trusted program. When
        run from the "magic folder" it will run with administrative
        privileges. Yes, that means they can put happy_valentine.exe
        in that folder but we're hoping to address that issue with
        education, folder naming, and other procedures.

3. Evolve support, documentation, and training resources to align
   with the new environment.
   a. Remote control support capabilities
   b. Login warning popups if account has administrative privileges

4. Tactical solutions to be used as necessary as 1-3 mature
   a. On-request helpdesk elevation of domain account to local machine
      administrator by moving domain account into a unique
      domain group associated with each computer in the computer's
      local administrators group. ( whew )
   b. Separate administrator account to be used for:
      -RUNAS
      -UAC
      -Direct login
      -Temporary self elevation of domain account to administrator
       as described in (a)
      -scripts and prepackaged shortcuts to help automation
   c. Selective ACL adjustments on folders, files, and registry keys
      to allow the user account additional rights to low risk areas
      for poorly written applications that won't run unmodified under
      a regular user account.

Ask us in a year how it went. :)


Note that its not a panacea. Functional malware can be written
using only user rights though it won't be able to hide and
embed itself so well nor affect system processes like AV,
the firewall, and automatic updates.

-Automatic startup on user login - User profile startup folder
 \Documents and Settings\user\Start Menu\Programs\Startup
-Access to sensitive data in user accessible areas:
   My Documents
   Network folders
   USB and optical drives
   Encrypted data
-Screen scraping
-Keystroke logging
-Generate network traffic
-Communicate with third parties via e-mail, http, IRC, custom
 protocols,   and almost anything else
-Privilege elevation
   Locally exploitable, unpatched defects
   Some sophisticated Windows message injection attacks

For truly sensitive areas, a professionally administered white list
of executables is the only solution.



--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature