Educause Security Discussion mailing list archives
Re: User Privilege Levels.
From: John Hoffoss <John.Hoffoss () CSU MNSCU EDU>
Date: Wed, 18 Mar 2009 13:27:49 -0500
On Mon, Feb 23, 2009 at 11:43 AM, <themba.flowers () YALE EDU> wrote:
However after explaining to users why running a machine with Admin is generally a bad idea (indeed, I don't run as Admin on my own box), I will inform of them of a machine(Non-AD) account that exists for admin, installs, etc "only." This machine account is a logged account which can be revoked as necessary. This has worked well. In the event that there is a program which needs admin to run on a regular basis - I can wade in with FileMon and RegMon as necessary. More often than not, the workarounds for any given SW title are already known and don't take a lot of resources to fix.
The thing that makes me nervous is the potential for weak credentials on that admin account. You're in a good spot compared to some of my institutions though, in that those accounts are one-off, and presumably have unique passwords for each of those accounts.
I find that after the WARNING spiel, users are usually happy to have access to an admin account even though in practice it is rarely required. On the other hand, there is always that one user who uses the admin account constantly and/or is a pain about having to switch accounts. Since they tend to be more advanced users anyway, I'll give them full admin with the caveat that they'll get little to no support.
Have you explored if it would be sufficient to make that local administrative user non-interactive, letting your desktop user utilize the "run-as" functionality when running a software package or installer? Cheers, -jth -- John T. Hoffoss, CISSP, GCIH Information Security Specialist Email: john.hoffoss () csu mnscu edu Office: +1.651.201.1453 Mobile: +1.612.867.1432 Minnesota State Colleges and Universities Information Security Office 30 7th Street East, Suite 350 St. Paul, MN 55101-7804 USA
Current thread:
- Re: User Privilege Levels., (continued)
- Re: User Privilege Levels. Jim Pollard (Feb 24)
- Re: User Privilege Levels. Karen Stopford (Feb 24)
- Re: User Privilege Levels. Basgen, Brian (Feb 24)
- Re: User Privilege Levels. Gary Flynn (Feb 24)
- Re: User Privilege Levels. Spransy, Derek (Feb 24)
- Re: User Privilege Levels. Karen Stopford (Feb 24)
- Re: User Privilege Levels. Stanclift, Michael (Feb 24)
- Re: User Privilege Levels. Harold Winshel (Feb 24)
- Re: User Privilege Levels. Gary Flynn (Feb 25)
- Re: User Privilege Levels. Spransy, Derek (Feb 25)
- Re: User Privilege Levels. John Hoffoss (Mar 18)