Educause Security Discussion mailing list archives
Re: Peeling off desktop Administrator Rights
From: David Escalante <david.escalante () BC EDU>
Date: Mon, 7 Dec 2009 13:57:37 -0500
randy marchany wrote:
Call me silly, but I think there is an end to this battle but we don't want to put in the effort to accomplish this. That end involves a) enforcing user responsibility for their actions b) give them basic training (you want to be able to install stuff, you have to sit in this training) c) speed up legit software install requests.
I generally agree with Randy, and would add that I've been interested for the past couple years in deploying some type of "whitelisting" software to assist with this, but have not done so. For example, the whitelist software that interests me most at the moment has a hash table of various "legit" software packages, and when the user installs something new, it checks the executable against this table, and can take various actions if the hash does not match, such as: (1) block the install, (2) notify the user that the software is unusual, (3) notify the Security staff of same, etc.... You can choose the level of enforcement you're comfortable with in your environment, but even worst case, the user installs something and the Security folks get a message that the user installed "AdobeeeeAcrobot.exe" and that it doesn't match the hashes of any known version of Acrobat, which would be a good thing to know in my humble opinion. One reason we haven't moved more aggressively on this has been "client bloat" on our Windows computers...by the time one runs all the executables one desires for security and backup and other functions on one's endpoints, there are a host of potential conflicts where the apps can step on each other, hog memory, slow down the computer, etc. I'm loath to make the situation worse by adding even more security apps. Thoughts on that issue most welcome.... -- David Escalante Boston College
Attachment:
david_escalante.vcf
Description:
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: Peeling off desktop Administrator Rights, (continued)
- Re: Peeling off desktop Administrator Rights Plesco, Todd (Dec 04)
- Re: Peeling off desktop Administrator Rights Stanclift, Michael (Dec 05)
- Re: Peeling off desktop Administrator Rights Stanclift, Michael (Dec 07)
- Re: Peeling off desktop Administrator Rights Kevin Shalla (Dec 07)
- Re: Peeling off desktop Administrator Rights randy marchany (Dec 07)
- Re: Peeling off desktop Administrator Rights Gary Dobbins (Dec 07)
- Re: Peeling off desktop Administrator Rights Dave Kovarik (Dec 07)
- Re: Peeling off desktop Administrator Rights Plesco, Todd (Dec 07)
- Re: Peeling off desktop Administrator Rights Iovino, Gabriel G (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights David Escalante (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights Stanclift, Michael (Dec 07)
- Re: Peeling off desktop Administrator Rights randy marchany (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights Flynn, Gerald (Dec 07)
- Re: Peeling off desktop Administrator Rights Flynn, Gerald (Dec 07)
- Re: Peeling off desktop Administrator Rights Flynn, Gerald (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
(Thread continues...)