Re: Desktop Administrator Question

[Steve Kuchta <skuchta () VCU EDU>]

We have been working with privilege-elevation software which allows us 
to remove admin privileges from users and setup a whitelist of 
installers and/or applications that when launched, the software 
temporarily grants admin rights to the user. While we are still in the 
roll-out process for this, feedback has been very positive so far. The 
tool we're using is called Viewfinity, but I believe there are other 
similar options out there.

With Viewfinity, there are a couple of ways of handling circumstances 
when users need to install software not on the whitelist. As we have it 
setup right now, a request comes into us for approval.

http://www.viewfinity.com/Products/PrivilegeManagement/Elevate-Privileges.aspx

Thanks,
Steve

--
Steve Kuchta
skuchta () vcu edu <mailto:skuchta () vcu edu>
Information Security Manager
Infrastructure and Client Services
School of Medicine Technology Services
http://go.vcu.edu/somtech

------------------------------------------------------------------------
Don't be a phishing victim - VCU and other reputable organizations will 
never use email to request that you reply with your password, social 
security number or confidential personal information. For more details 
visit http://go.vcu.edu/phishing.
------------------------------------------------------------------------

On 2/1/2012 2:32 PM, Gramke, Jim wrote:
> We tried very hard to take away admin rights on the desktops, or at 
> least get users to run with a non-priv'd account, but in the end, it 
> was deemed by the helpdesk people that it would create too many calls, 
> and the plan was unceremoniously  vetoed.    The ability for everybody 
> to install anything at any time for any reason is so deeply 
> entrenched, that I think it's hard to muster the political courage to 
> make a change.     Now we see that attitude bleed over into the mobile 
> world as well.
>
> If anybody has successfully removed admin rights, I'd love to hear 
> some tales of strategy, and implementation.   Even just a procedure on 
> how to handle when professor X needs to install applications Y on his 
> desktop.
>
> Jim Gramke
>
> Acting IT Security Manager
>
> College of St. Benedict | St. John's University
>
> *From:*Steven Alexander [mailto:alexander.s () MCCD EDU]
> *Sent:* Tuesday, January 31, 2012 5:34 PM
> *Subject:* Re: Desktop Administrator Question
>
> We are currently moving away from giving local admin rights to all 
> users.  Everyone, including  system/network administrators should be 
> operating with basic user privileges most of the time.  Client-side 
> exploits are a major attack vector and many or most of them depend on 
> users having admin privileges.
>
> Regards,
>
> Steven Alexander Jr.
>
> Online Education Systems Manager
>
> Merced College
>
> 3600 M Street
>
> Merced, CA 95348-2898
>
> (209) 384-6191
>
> alexander.s () mccd edu <mailto:alexander.s () mccd edu>
>
> *From:*The EDUCAUSE Security Constituent Group Listserv 
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Johnson, Jeff
> *Sent:* Tuesday, January 31, 2012 3:13 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] Desktop Administrator Question
>
> Hello Everyone,
>
> DePaul is currently evaluating how we have access rights and roles 
> setup on desktop/laptop computers at the institution.  We currently 
> give all employees administrator rights to their desktop computer.  
> Our understanding is that most institutes of higher education are 
> offering employees of the institution administrator rights on their 
> desktops, but we would like to validate this to satisfy some questions 
> from some others (particularly internal audit folks).  As such, we 
> were interested in gathering some more concrete data on this and have 
> created a very short and simple (4 question) survey to capture this 
> information.    We would very much appreciate your participation if 
> you are able, and we will share the results for everyone via email 
> (cleansing any personal information you choose to enter prior to doing 
> so of course).  If you would rather pass this on to colleagues 
> involved in desktop administration and support, that would also be 
> most appreciated.
>
> Here is a link to the survey: 
> http://depaul.qualtrics.com/SE/?SID=SV_6lNkqctZNQ5BZaI
>
> Thank you so much for your help!
>
> Regards,
>
> Jeff Johnson
>
> Infrastructure Support Manager,
>
> Information Systems,
>
> DePaul University
>
>
>   ­­