Educause Security Discussion mailing list archives
Re: Peeling off desktop Administrator Rights
From: Gary Dobbins <dobbins () ND EDU>
Date: Mon, 7 Dec 2009 12:05:22 -0500
Randy, I like your hybrid suggestion. Taking it a step further, what if users had the ability to self-escalate when they "really need to" such as for a software install, but would normally work in non-admin mode? Nothing as convenient as Vista's UAC popup - I'm talking about "logout as self, login as admin, install or whatever, then logout and back in as self." Not super convenient - and it shouldn't be. It should be possible for them to take full control when truly needed and without the risk of doing so in a too-cavalier manner. Just having to click "ok" to the UAC is still too close to the level of social engineering where the Trojan Horses live at the moment. By making them re-login to do an install, it can be logged, and tends to force them to close browsers, etc. that might be carrying the Trojan Horse.
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of randy marchany Sent: Monday, December 07, 2009 11:44 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Peeling off desktop Administrator Rights I presume the primary reason for preventing local users from having admin rights on their desktops is to keep them from installing "evil" software. If this is so, then my question to the group is "how long does it take a desktop user to get a "legitimate" piece of software installed on their desktop? In other words, I have to use software package "A" to do my job. How long does it take for "A" to be installed on my desktop? My informal straw poll respondents noted the time range to be anywhere from 1 day to 2 weeks.This is completely shocking to me. Now, if my boss is breathing down my neck to finish a project by tomorrow & I need software "A" to finish the project, I can't wait 1-7 days. The business process will trump this security process and a) I go up the mgt chain to get an exception b) I bring in my personal computer, load software "A" on it and get the job done. So, I wonder why there has never been a survey with the question "How long does it take to install a software package on a user desktop if you restrict local admin rights?". This is the root cause of the "never ending battle" that I keep hearing about. If you make the user responsible for whatever they load on their machine AND enforce that, then what is the danger of letting them do so? Well, people with no local admin privs can still "infect" a machine by using their browser so once again, what do we accomplish by "preventing" them from loading software? Seems like nothing is accomplished, hence, the "never ending" battle. Call me silly, but I think there is an end to this battle but we don't want to put in the effort to accomplish this. That end involves a) enforcing user responsibility for their actions b) give them basic training (you want to be able to install stuff, you have to sit in this training) c) speed up legit software install requests. I keep hearing about this losing battle with the users so why not think of something radically different? Just a thought for the holidays.... Randy Marchany VA Tech IT Security Office
Current thread:
- Re: Peeling off desktop Administrator Rights, (continued)
- Re: Peeling off desktop Administrator Rights Mike Hanson (Dec 04)
- Re: Peeling off desktop Administrator Rights Stanclift, Michael (Dec 04)
- Re: Peeling off desktop Administrator Rights Tupker, Mike (Dec 04)
- Re: Peeling off desktop Administrator Rights Stanclift, Michael (Dec 04)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 04)
- Re: Peeling off desktop Administrator Rights Plesco, Todd (Dec 04)
- Re: Peeling off desktop Administrator Rights Stanclift, Michael (Dec 05)
- Re: Peeling off desktop Administrator Rights Stanclift, Michael (Dec 07)
- Re: Peeling off desktop Administrator Rights Kevin Shalla (Dec 07)
- Re: Peeling off desktop Administrator Rights randy marchany (Dec 07)
- Re: Peeling off desktop Administrator Rights Gary Dobbins (Dec 07)
- Re: Peeling off desktop Administrator Rights Dave Kovarik (Dec 07)
- Re: Peeling off desktop Administrator Rights Plesco, Todd (Dec 07)
- Re: Peeling off desktop Administrator Rights Iovino, Gabriel G (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights David Escalante (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights Stanclift, Michael (Dec 07)
- Re: Peeling off desktop Administrator Rights randy marchany (Dec 07)
(Thread continues...)