Re: Peeling off desktop Administrator Rights

[John Hoffoss <John.Hoffoss () CSU MNSCU EDU>]

> > > On Mon, Dec 7, 2009 at  4:42 PM, in message
<7d7b8eb40912071442t729e43afhc9b538b3037dbaf9 () mail gmail com>, randy marchany
<marchany () VT EDU> wrote: 
> It's been very interesting to see the different scenarios that you
> guys have for delegating some priv set to general users. But, IMHO,
> all of these don't address the real issue: how long does it take for a
> general user to get a software package installed on their desktop if
> you don't allow them to do it themselves? Hours? Days? Weeks?

But that's not the real issue! The real issue is non-technical staff and faculty having access to perform 
administrative functions on their system without the requisite experience and knowledge to execute caution. Say nothing 
of social engineering attacks like phishing that can very convincingly disguise illegitimate content. Also say nothing 
of the technical staff and faculty that do have that experience that still do silly things like browse the web from a 
server. 

Restricting that access provides a great amount of control and greatly enhances system security. 

> As a long time sysadmin (25+ years) I've beginning to think that we
> (sysadmins) are more of the problem than the users because we set up
> environments that make address OUR needs/likes and not so much the
> user requirements. That model dooms a site to failure, I think.  The
> "original" purpose of these restrictions was to prevent users from
> downloading malware/trojans  that were embedded in "cute" programs
> like aquarium backgrounds, etc. So, the sysadmin in me says "no, no,
> no, you can't do that" but we never built an efficient mechanism to
> allow a user to download what THEY need to do THEIR job.  I know one
> of the reasons why I went down this path was because there was only 1
> of me and 10K users. 2 events would overwhelm my response
> capabilities. The attack vectors have changed. Now, malware gets
> inserted on a desktop without any active user intervention other than
> surfing the www and having malware downloaded to their desktop which
> is the very thing we tried to prevent with our "no local admin
> rights". So, are we going to ban www surfing? Doesn't that impact the
> business process? Imagine if we sysadmins aren't allowed to surf sites
> like sourceforge, packetstormsecurity, etc. If that happens, then our
> job becomes much more difficult.

As another poster pointed out, there are still holes in browsers and other software, but it's *much* more difficult to 
exploit a system when a user is a user and not an administrator. But no one is saying you can't browse the web. (Unless 
you're on a server...) What you can't do is browse the web as an administrator. If the desktop is properly restricted, 
the user is not exposed to that kind of risk nearly as much. And when they are, AV and antimalware is significantly 
more effective.

But your point about allowing users the software they need to perform is valid, but that's not necessarily the 
sysadmin's challenge, it's usually the helpdesk's. When I did support while in school, I was able to service every 
request immediately using remote desktop support (ZENworks) so if a user said they needed something installed and it 
didn't appear to pose a threat or a licensing issue, it got installed. Of about 1,200 systems, I went from reimaging 
10-20 per week to 2-4. Sysadmins were happy, users were happy, I was happy.

>  I look at some depts here on campus who let their users install
> whatever software they want and I don't see any significant increase
> in bad events happening in those environments. This leads to me
> question how effective was the user ban?

But presumably that department requested an exception, and if your statement here became untrue, I'd bet you'd be going 
in with a crowbar to remove those privileges from normal users...

Work smarter, not harder, folks.

-jth