Educause Security Discussion mailing list archives
Re: Peeling off desktop Administrator Rights
From: John Hoffoss <John.Hoffoss () CSU MNSCU EDU>
Date: Tue, 8 Dec 2009 12:46:32 -0600
On Mon, Dec 7, 2009 at 4:42 PM, in message
<7d7b8eb40912071442t729e43afhc9b538b3037dbaf9 () mail gmail com>, randy marchany <marchany () VT EDU> wrote:
It's been very interesting to see the different scenarios that you guys have for delegating some priv set to general users. But, IMHO, all of these don't address the real issue: how long does it take for a general user to get a software package installed on their desktop if you don't allow them to do it themselves? Hours? Days? Weeks?
But that's not the real issue! The real issue is non-technical staff and faculty having access to perform administrative functions on their system without the requisite experience and knowledge to execute caution. Say nothing of social engineering attacks like phishing that can very convincingly disguise illegitimate content. Also say nothing of the technical staff and faculty that do have that experience that still do silly things like browse the web from a server. Restricting that access provides a great amount of control and greatly enhances system security.
As a long time sysadmin (25+ years) I've beginning to think that we (sysadmins) are more of the problem than the users because we set up environments that make address OUR needs/likes and not so much the user requirements. That model dooms a site to failure, I think. The "original" purpose of these restrictions was to prevent users from downloading malware/trojans that were embedded in "cute" programs like aquarium backgrounds, etc. So, the sysadmin in me says "no, no, no, you can't do that" but we never built an efficient mechanism to allow a user to download what THEY need to do THEIR job. I know one of the reasons why I went down this path was because there was only 1 of me and 10K users. 2 events would overwhelm my response capabilities. The attack vectors have changed. Now, malware gets inserted on a desktop without any active user intervention other than surfing the www and having malware downloaded to their desktop which is the very thing we tried to prevent with our "no local admin rights". So, are we going to ban www surfing? Doesn't that impact the business process? Imagine if we sysadmins aren't allowed to surf sites like sourceforge, packetstormsecurity, etc. If that happens, then our job becomes much more difficult.
As another poster pointed out, there are still holes in browsers and other software, but it's *much* more difficult to exploit a system when a user is a user and not an administrator. But no one is saying you can't browse the web. (Unless you're on a server...) What you can't do is browse the web as an administrator. If the desktop is properly restricted, the user is not exposed to that kind of risk nearly as much. And when they are, AV and antimalware is significantly more effective. But your point about allowing users the software they need to perform is valid, but that's not necessarily the sysadmin's challenge, it's usually the helpdesk's. When I did support while in school, I was able to service every request immediately using remote desktop support (ZENworks) so if a user said they needed something installed and it didn't appear to pose a threat or a licensing issue, it got installed. Of about 1,200 systems, I went from reimaging 10-20 per week to 2-4. Sysadmins were happy, users were happy, I was happy.
I look at some depts here on campus who let their users install whatever software they want and I don't see any significant increase in bad events happening in those environments. This leads to me question how effective was the user ban?
But presumably that department requested an exception, and if your statement here became untrue, I'd bet you'd be going in with a crowbar to remove those privileges from normal users... Work smarter, not harder, folks. -jth
Current thread:
- Re: Peeling off desktop Administrator Rights, (continued)
- Re: Peeling off desktop Administrator Rights Flynn, Gerald (Dec 07)
- Re: Peeling off desktop Administrator Rights Flynn, Gerald (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights randy marchany (Dec 07)
- Re: Peeling off desktop Administrator Rights Flynn, Gerald (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights randy marchany (Dec 07)
- Re: Peeling off desktop Administrator Rights Stanclift, Michael (Dec 08)
- Re: Peeling off desktop Administrator Rights Stanclift, Michael (Dec 08)
- Re: Peeling off desktop Administrator Rights Valdis Kletnieks (Dec 08)
- Re: Peeling off desktop Administrator Rights John Hoffoss (Dec 08)
- Re: Peeling off desktop Administrator Rights Kreider, Randall G (Dec 10)
- Re: Peeling off desktop Administrator Rights Flynn, Gerald (Dec 10)