Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Granting all users (or "a select few"??) administrative rights on their own computer systems??

From: "Kriss, George N" <GNKriss () MCKENDREE EDU>
Date: Fri, 31 Aug 2012 21:52:46 +0000
We also limit admin privileges to just a select few with those few being local computer admins, which is separate from 
their standard domain account.  We have several group policies that turn off the autoupdate and/or update notification 
bubble.  We then push the java, flash etc. updates via group policy during our normal Windows patching timeframe.

As for our Macs on campus.  That's why we have student workers  :)

If something needs to be installed quickly, we or an approved student worker will remote to their desktop using 
Microsoft Remote Assistant and help them out.

Geo.
George K R I S S
Director, Information Technology
(618) 537-6445
[Description: Description: Description: Description: Description: Description: Description: Description: Description: 
Description: Description: McKendree-Logo-fo-web]
701 College Road   |  Lebanon   |  Illinois   |   62254



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shalla, 
Kevin
Sent: Friday, August 31, 2012 4:16 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Granting all users (or "a select few"??) administrative rights on their own computer systems??

We allow some users to get a local administrator account, but it is strictly a local account with no rights to any 
network shares.  The idea is that they normally work in an unprivileged account (so they can access network data etc.), 
and when they want to install software, the UAC prompt appears for them to enter the local user / password.  So our 
users do what I do - normal use on unprivileged account, and when I know I want to do privileged stuff, use UAC and 
enter an admin account / password.  I think we could minimize even this access if we could get a handle on Java / Adobe 
updates (prevent users from getting prompts to update and push out those updates automatically).

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE 
EDU]<mailto:[mailto:SECURITY () LISTSERV EDUCAUSE EDU]> On Behalf Of SCHALIP, MICHAEL
Sent: Friday, August 31, 2012 3:21 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Granting all users (or "a select few"??) administrative rights on their own computer systems??

Hi folks.....

Sorry if this is a re-hash of a very old subject, but - most of our users do NOT have administrative rights on their 
computers.  A select few (outside of our centralized IT organization) have what are termed "Z accounts" that are 
separate user accounts that are issued to individuals that essentially provide them with admin rights on their local 
systems, but - we've been trying to keep these to a minimum.  However - now that we are getting more and more update 
notifications for Adobe, Java, etc - the end user population is demanding more and more access to their systems so that 
they can do their own updates.  Up until now - we have held that we (the IT organization) would assist with any updates 
or software installations - and do so either at the desktop, or remotely through our Service Desk.  We do a lot of 
remote support via RDP and/or PCAnywhere and/or Altiris Deployment Solution.

We're keenly aware of the potential risks that this presents, but - we're being told that we have to pursue this 
direction - in some manner.  From a support perspective, the prevailing belief system is that when we relinquish admin 
rights to the end users, the field tech workload will swing from "installing updates and software" to "repairing and 
re-imaging systems".......but, if that's the direction we're told to go, we'll do so without argument.....(personally - 
I'm not opposed to it at all.....it's more the "support policy" that concerns me.....;-)

But, the bottom line is - we have to allow users (either in general, or in a controlled group?), to install their own 
software - install their own patches (ie, Adobe, Java, etc.).

My question is:  How do other colleges manage this?  Do you give user's admin rights as a matter of course?.....or do 
you have a means of controlling this?  Do you continue to lock down the desktop such that most/all users do not have 
admin rights?.....or do you allow them to configure their own systems themselves, at their own risk?

Without sounding too callous, I *came* from an environment where users *did* have admin rights on their own systems - 
and for the most part, life was uneventful *except* for the instances where a user would get themselves so twisted up 
that when they did call for tech support - we basically told them that the 90% solution was to simply re-image their 
system for them.  Data backups were their responsibility - we'd re-image the OS and baseline software - install 
whatever additional software they could produce proof of licensing for - and re-pointed them to their network data 
stores......and that was about it.  Again - it worked fairly well in a "Fed sector" environment, but I'm not sure how 
well it would fly in a higher ed environment....??

Sorry this is so long-winded, but - curious to hear how everyone else handles this kind of situation.....

Thanks,

Michael

--
This message has been scanned for viruses and
dangerous content by MailScanner<http://www.mailscanner.info/>, and is
believed to be clean.

Previous By Date Next
Previous By Thread Next

Current thread: