Educause Security Discussion mailing list archives
Re: The value of 'least privilege'
From: "Jeffrey I. Schiller" <jis () MIT EDU>
Date: Tue, 30 Mar 2010 12:25:37 -0400
Of course there is a middle ground. People in general should run without administrator privileges (even people who know what they are doing!). But that doesn't mean that they shouldn't have access to a separate account with privileges which they use *occasionally* only to install software and other tasks that require privilege. In this case you don't have to wait, and you are also protected from a significant amount of malware. Of course the trick is for people to avoid becoming lazy and just running with privileges all the time... Human nature and all... -Jeff On 03/30/2010 10:46 AM, randy marchany wrote:
While I agree that limiting administrative rights is a good thing, sites need to answer accurately the following questions: 1. How long does it take your IT staff to install software that an end user needs? 2. How long does it take your IT staff to check such software for security issues? Presumably, this is the real reason why end user aren't allowed to install software. If your IT staff doesn't check software for security issues, they can make the same mistake. Do your admins even check for security problems with vendor software? I suspect it's not a thorough check. If the answers to the above questions are "long" and an end user needs the software ASAP (who doesn't?), then the end user will find ways to bypass this restriction in order to get the job done. Having a timely software installation process is critical to the success of this security solution. No sysadmin can anticipate what software is needed at any given point in time. I'm curious to see what the answers are to the above questions. My informal survey answers range from 1 day (ok) to 2 weeks (not ok). -Randy Marchany VA Tech IT Security Office
-- ======================================================================== Jeffrey I. Schiller MIT Network Manager/Security Architect PCI Compliance Officer Information Services and Technology Massachusetts Institute of Technology 77 Massachusetts Avenue Room W92-190 Cambridge, MA 02139-4307 617.253.0161 - Voice jis () mit edu http://jis.qyv.name ========================================================================
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: The value of 'least privilege' Dexter Caldwell (Mar 30)
- <Possible follow-ups>
- The value of 'least privilege' Allison Dolan (Mar 30)
- Re: The value of 'least privilege' Mike Hanson (Mar 30)
- Re: The value of 'least privilege' randy marchany (Mar 30)
- Re: The value of 'least privilege' Eric Case (Mar 30)
- Re: The value of 'least privilege' Basgen, Brian (Mar 30)
- Re: The value of 'least privilege' Eric Case (Mar 30)
- Re: The value of 'least privilege' Sarazen, Daniel (Mar 30)
- Re: The value of 'least privilege' Jeffrey I. Schiller (Mar 30)
- Re: The value of 'least privilege' Matthew Wollenweber (Mar 30)
- Re: The value of 'least privilege' Howe, Joe (Mar 30)
- Re: The value of 'least privilege' Steve Werby (Mar 30)
- Re: The value of 'least privilege' randy marchany (Mar 30)