Educause Security Discussion mailing list archives
Re: Peeling off desktop Administrator Rights
From: randy marchany <marchany () VT EDU>
Date: Mon, 7 Dec 2009 17:42:41 -0500
It's been very interesting to see the different scenarios that you guys have for delegating some priv set to general users. But, IMHO, all of these don't address the real issue: how long does it take for a general user to get a software package installed on their desktop if you don't allow them to do it themselves? Hours? Days? Weeks? As a long time sysadmin (25+ years) I've beginning to think that we (sysadmins) are more of the problem than the users because we set up environments that make address OUR needs/likes and not so much the user requirements. That model dooms a site to failure, I think. The "original" purpose of these restrictions was to prevent users from downloading malware/trojans that were embedded in "cute" programs like aquarium backgrounds, etc. So, the sysadmin in me says "no, no, no, you can't do that" but we never built an efficient mechanism to allow a user to download what THEY need to do THEIR job. I know one of the reasons why I went down this path was because there was only 1 of me and 10K users. 2 events would overwhelm my response capabilities. The attack vectors have changed. Now, malware gets inserted on a desktop without any active user intervention other than surfing the www and having malware downloaded to their desktop which is the very thing we tried to prevent with our "no local admin rights". So, are we going to ban www surfing? Doesn't that impact the business process? Imagine if we sysadmins aren't allowed to surf sites like sourceforge, packetstormsecurity, etc. If that happens, then our job becomes much more difficult. I look at some depts here on campus who let their users install whatever software they want and I don't see any significant increase in bad events happening in those environments. This leads to me question how effective was the user ban? That's why I'm curious to see how long it takes from the time a user requests a software package to be installed on their desktop to the time it actually gets installed. I think you'll see what I'm talking about when we look at the responses. -r.
Current thread:
- Re: Peeling off desktop Administrator Rights, (continued)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights Stanclift, Michael (Dec 07)
- Re: Peeling off desktop Administrator Rights randy marchany (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights Flynn, Gerald (Dec 07)
- Re: Peeling off desktop Administrator Rights Flynn, Gerald (Dec 07)
- Re: Peeling off desktop Administrator Rights Flynn, Gerald (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights randy marchany (Dec 07)
- Re: Peeling off desktop Administrator Rights Flynn, Gerald (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights randy marchany (Dec 07)
- Re: Peeling off desktop Administrator Rights Stanclift, Michael (Dec 08)
- Re: Peeling off desktop Administrator Rights Stanclift, Michael (Dec 08)
- Re: Peeling off desktop Administrator Rights Valdis Kletnieks (Dec 08)
- Re: Peeling off desktop Administrator Rights John Hoffoss (Dec 08)
- Re: Peeling off desktop Administrator Rights Kreider, Randall G (Dec 10)
- Re: Peeling off desktop Administrator Rights Flynn, Gerald (Dec 10)