Educause Security Discussion mailing list archives

Re: The value of 'least privilege'

From: "Howe, Joe" <joe.howe () MAIL UTEXAS EDU>
Date: Tue, 30 Mar 2010 12:56:14 -0500

I second Jeff's comments.


We have hundreds of users running with standard user accounts.

Faculty, laptop users and some desktop users get an additional domain
account that has admin privileges.  They are trained on when to use it (and
when not to).  So far we have only had one user install something that got
them in trouble.  At the same time, we have dramatically limited the number
of root level compromises (essentially zero) and the user based compromises
we have seen are much easier to remediate.

We started on this 5+ years ago with the IT staff and expanded from there.
Every time there is a computer upgrade or employee turnover, we changed to
the new setup.  Even with vista/7 we are keeping this model, despite the
integrity level features that you still have - UAC provides too much leeway.

A few things we have learned:

- don't try to mix running with a user account with "taking away your admin
privileges".  In the end, there needs to be a reason for them having an
admin account but make that a separate decision.  This helps avoid the
additional politics of taking things away.

- start with the IT staff so they can know what users are facing.  Our IT
staff advocate highly for this setup even in their homes.

- be very familiar with Process Monitor (sysinternals) to troubleshoot those
poorly coded apps

- leverage application (or even OS) virtualization for those extremely
poorly coded apps.  We have used both Softricity/App-V and Thinapp

- audit the local admin group membership as a standard practice when you
locally or remotely touch a machine to add another validation that there is
no privilege creep

It can be a long road but from the security principles and reality of OS'es
and malware - it is a good direction.

-Joe

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jeffrey I. Schiller
Sent: Tuesday, March 30, 2010 11:26 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] The value of 'least privilege'

Of course there is a middle ground. People in general should run without
administrator privileges (even people who know what they are doing!).
But that doesn't mean that they shouldn't have access to a separate
account with privileges which they use *occasionally* only to install
software and other tasks that require privilege.

In this case you don't have to wait, and you are also protected from a
significant amount of malware.

Of course the trick is for people to avoid becoming lazy and just
running with privileges all the time... Human nature and all...

                        -Jeff

On 03/30/2010 10:46 AM, randy marchany wrote:

While I agree that limiting administrative rights is a good thing,
sites need to answer accurately the following questions:

1. How long does it take your IT staff to install software that an end
user needs?
2. How long does it take your IT staff to check such software for
security issues? Presumably, this is the real reason why end user
aren't allowed to install software. If your IT staff doesn't check
software for security issues, they can make the same mistake. Do your
admins even check for security problems with vendor software? I
suspect it's not a thorough check.

If the answers to the above questions are "long" and an end user needs
the software ASAP (who doesn't?), then the end user will find ways to
bypass this restriction in order to get the job done. Having a timely
software installation process is critical to the success of this
security solution. No sysadmin can anticipate what software is needed
at any given point in time.

I'm curious to see what the answers are to the above questions. My
informal survey answers range from 1 day (ok) to 2 weeks (not ok).

-Randy Marchany
VA Tech IT Security Office


--
 =======================================================================
Jeffrey I. Schiller
MIT Network Manager/Security Architect
PCI Compliance Officer
Information Services and Technology
Massachusetts Institute of Technology
77 Massachusetts Avenue  Room W92-190
Cambridge, MA 02139-4307
617.253.0161 - Voice
jis () mit edu
http://jis.qyv.name
 =======================================================================

Attachment: smime.p7s
Description:

Current thread:

Re: The value of 'least privilege' Dexter Caldwell (Mar 30)
- <Possible follow-ups>
- The value of 'least privilege' Allison Dolan (Mar 30)
- Re: The value of 'least privilege' Mike Hanson (Mar 30)
- Re: The value of 'least privilege' randy marchany (Mar 30)
- Re: The value of 'least privilege' Eric Case (Mar 30)
- Re: The value of 'least privilege' Basgen, Brian (Mar 30)
- Re: The value of 'least privilege' Eric Case (Mar 30)
- Re: The value of 'least privilege' Sarazen, Daniel (Mar 30)
- Re: The value of 'least privilege' Jeffrey I. Schiller (Mar 30)
- Re: The value of 'least privilege' Matthew Wollenweber (Mar 30)
- Re: The value of 'least privilege' Howe, Joe (Mar 30)
- Re: The value of 'least privilege' Steve Werby (Mar 30)
- Re: The value of 'least privilege' randy marchany (Mar 30)