Re: Peeling off desktop Administrator Rights

[Gary Dobbins <dobbins () ND EDU>]

Randy, I like your hybrid suggestion.  Taking it a step further, what if users had the ability to self-escalate when 
they "really need to" such as for a software install, but would normally work in non-admin mode?  Nothing as convenient 
as Vista's UAC popup - I'm talking about "logout as self, login as admin, install or whatever, then logout and back in 
as self."

Not super convenient - and it shouldn't be.  It should be possible for them to take full control when truly needed and 
without the risk of doing so in a too-cavalier manner.  Just having to click "ok" to the UAC is still too close to the 
level of social engineering where the Trojan Horses live at the moment.  By making them re-login to do an install, it 
can be logged, and tends to force them to close browsers, etc. that might be carrying the Trojan Horse.



> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of randy marchany
> Sent: Monday, December 07, 2009 11:44 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Peeling off desktop Administrator Rights
>
> I presume the primary reason for preventing local users from having
> admin rights on their desktops is to keep them from installing
> "evil"
> software.
>
> If this is so, then my question to the group is "how long does it
> take
> a desktop user to get a "legitimate" piece of software installed on
> their desktop? In other words, I have to use software package "A"
> to
> do my job. How long does it take for "A" to be installed on my
> desktop? My informal straw poll respondents noted the time range to
> be
> anywhere from 1 day to 2 weeks.This is completely shocking to me.
> Now, if my boss is breathing down my neck to finish a project by
> tomorrow & I need software "A" to finish the project, I can't wait
> 1-7
> days. The business process will trump this security process and a)
> I
> go up the mgt chain to get an exception b) I bring in my personal
> computer, load software "A" on it and get the job done.
>
> So, I wonder why there has never been a survey with the question
> "How
> long does it take to install a software package on a user desktop
> if
> you restrict local admin rights?". This is the root cause of the
> "never ending battle" that I keep hearing about. If you make the
> user
> responsible for whatever they load on their machine AND enforce
> that,
> then what is the danger of letting them do so? Well, people with no
> local admin privs can still "infect" a machine by using their
> browser
> so once again, what do we accomplish by "preventing" them from
> loading
> software? Seems like nothing is accomplished, hence, the "never
> ending" battle.
>
> Call me silly, but I think there is an end to this battle but we
> don't
> want to put in the effort to accomplish this. That end involves a)
> enforcing user responsibility for their actions b) give them basic
> training (you want to be able to install stuff, you have to sit in
> this training) c) speed up legit software install requests.
>
> I keep hearing about this losing battle with the users so why not
> think of something radically different?
>
> Just a thought for the holidays....
>
> Randy Marchany
> VA Tech IT Security Office