Educause Security Discussion mailing list archives
Re: Administrative v/s power user Access for Staff and students
From: Brian K. Doré <bkd () LOUISIANA EDU>
Date: Fri, 6 Mar 2009 19:35:45 -0600
All of our users are standard users. We make a few changes to windows default permissions, such as allowing standard users to change the time zone. We attempt to make minor permissions changes to allow applications to run as a standard user. In some rare cases we grant an exemption if an application requires administrator access. We do delegate administrative rights to certain users or departmental admins so they can install software, drivers, etc. We issue a separate domain accounts for this with a unique naming scheme. We don’t use the Power users group except in a few rare circumstances. Power users have WAY too much access by default, and it’s fairly trivial for a power user to elevate themselves to an administrator. See: http://support.microsoft.com/kb/825069 http://blogs.technet.com/markrussinovich/archive/2006/05/01/the-power-in-power-users.aspx I need to clarify that we are still running XP and my comments above relate to that OS. Power users in Vista and Windows 7 are essentially standard users. (see: http://technet.microsoft.com/en-us/magazine/2007.06.acl.aspx ) Brian Brian K. Doré University of Louisiana at Lafayette ----- Original Message ----- From: "Anand S Malwade" <Anand.Malwade () SHU EDU> To: SECURITY () LISTSERV EDUCAUSE EDU Sent: Friday, March 6, 2009 12:31:32 PM GMT -06:00 US/Canada Central Subject: Administrative v/s power user Access for Staff and students I was wondering what other universities are doing in limiting administrative access on Desktops and laptops for Staff ? The rationale being as we know that enterprise workstations run as administrator also makes the network vulnerable to malware including viruses, Trojan horses, spyware, adware and unintentional user damage. Malware can exploit a local administrator account’s system-level access to damage files, change system configurations, and even transmit confidential data outside of the network. Ensuring that all users run as standard users is the primary way to help mitigate the impact. Has anyone tried giving Power User level access as opposed to full admin rights and if yes what was the overall experience ? Thanks, Anand Anand Malwade Information Security Officer, Seton Hall University,
Current thread:
- Administrative v/s power user Access for Staff and students Anand S Malwade (Mar 06)
- <Possible follow-ups>
- Re: Administrative v/s power user Access for Staff and students Tupker, Mike (Mar 06)
- Re: Administrative v/s power user Access for Staff and students Brian Desmond (Mar 06)
- Re: Administrative v/s power user Access for Staff and students Stanclift, Michael (Mar 06)
- Re: Administrative v/s power user Access for Staff and students Gary Flynn (Mar 06)
- Re: Administrative v/s power user Access for Staff and students Brian K . Doré (Mar 06)
- Re: Administrative v/s power user Access for Staff and students Kevin Shalla (Mar 09)