Re: Peeling off desktop Administrator Rights

[Eric Case <ecase () EMAIL ARIZONA EDU>]

We had 24-hour turnaround time.  If the user cannot give us a workdays
notice because of something beyond their control, we understood.  If they
could not give us a days notice because of poor planning on their part . . .

Eat your own dog food, right.  I required everyone, myself and sysadmins
included, to run as user and use runas.  On the servers I took over because
the sysadmins could keep them from being infected, I blocked outbound port
80.  The infections stopped when the sysadmins could not surf from the
server and had to surf from their desktop.

You say you did not see a "significant increase in bad events happening in
those environments" where users can install whatever they want, but do you
know if the systems were being monitored?  It has been my experience that
when IT lets users have full admin access the system logs are not monitored,
AV gets turned off (to many pop ups), system backups are not done, etc.
-Eric



Eric Case, CISSP
eric (at) ericcase (dot) com
http://www.linkedin.com/in/ericcase


> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of randy marchany
> Sent: Monday, December 07, 2009 3:43 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Peeling off desktop Administrator Rights
>
> It's been very interesting to see the different scenarios that you
> guys have for delegating some priv set to general users. But, IMHO,
> all of these don't address the real issue: how long does it take for a
> general user to get a software package installed on their desktop if
> you don't allow them to do it themselves? Hours? Days? Weeks?
>
> As a long time sysadmin (25+ years) I've beginning to think that we
> (sysadmins) are more of the problem than the users because we set up
> environments that make address OUR needs/likes and not so much the
> user requirements. That model dooms a site to failure, I think.  The
> "original" purpose of these restrictions was to prevent users from
> downloading malware/trojans  that were embedded in "cute" programs
> like aquarium backgrounds, etc. So, the sysadmin in me says "no, no,
> no, you can't do that" but we never built an efficient mechanism to
> allow a user to download what THEY need to do THEIR job.  I know one
> of the reasons why I went down this path was because there was only 1
> of me and 10K users. 2 events would overwhelm my response
> capabilities. The attack vectors have changed. Now, malware gets
> inserted on a desktop without any active user intervention other than
> surfing the www and having malware downloaded to their desktop which
> is the very thing we tried to prevent with our "no local admin
> rights". So, are we going to ban www surfing? Doesn't that impact the
> business process? Imagine if we sysadmins aren't allowed to surf sites
> like sourceforge, packetstormsecurity, etc. If that happens, then our
> job becomes much more difficult.
>
>  I look at some depts here on campus who let their users install
> whatever software they want and I don't see any significant increase
> in bad events happening in those environments. This leads to me
> question how effective was the user ban?
>
> That's why I'm curious to see how long it takes from the time a user
> requests a software package to be installed on their desktop to the
> time it actually gets installed. I think you'll see what I'm talking
> about when we look at the responses.
>
> -r.