Educause Security Discussion mailing list archives
Re: Granting all users (or "a select few"??) administrative= rights on their own computer systems??
From: "Durfee, Jeff" <jdurfee () UNF EDU>
Date: Thu, 6 Sep 2012 08:25:31 -0400
This is a topic of ongoing interest here as well. We have just reached the 1 year mark to a more managed environment where we restrict access to local administrator accounts. It has been, as pretty much everyone can guess or knows from experience, painful politically. We have a good process for handling exception requests in place that involves a review board consisting of an administrative staff member, a faculty member and an appointee of the Provost. Requests are reviewed and generally acted upon in less than a week unless there is a need to seek more information (some of the submitted justifications are sketchy or do not contain enough information). Our major challenge has been the number of folks who seem to believe that performing maintenance on "their" computer is part of their job. We also have challenges in getting a good handle on eliminating all of the nuisance popups for updates (Adobe, Java, etc.). While we are doing a better job now, it is still an issue. When it comes to software installations, we are working on a system that will provide a menu of self-service selections. This will operate with our management tool (Altiris) and push those jobs out to the requested computer(s) in short order. Licensing, management, and patching can all be managed in this way and frankly, that is a 90%+ solution right there. As has been commented, the dangers of allowing unrestricted local admin accounts are well documented, and not all of the issues are strictly security related. As only one example, something as common as Java comes with extra software selections *preselected* during installation. If users do not know what to look for and are allowed to self-install, we're going to have a lot of computers running the Ask.com toolbar in short order. At this point, we know that our support workload has largely shifted from fire-fighting to satisfying on demand software installations and normal configuration issues. The number of pending support tickets has been reduced, at least partially due to this shift in policy. We are also working through plans to further streamline the request process, which will include a self-paced education component plus assessment, ties to the property system (for verifying 'ownership') and partial automation of this process. We firmly believe we are on the right path in terms of how to most effectively deliver high quality support within a very constrained budget. Whether this holds up in the face of the cultural and political hurdles most (if not all) higher ed institutions face remains to be seen, but we are hopeful that it will. ~Jeff Jeff Durfee, CISSP Director, IT Security University of North Florida -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SECURITY automatic digest system Sent: Thursday, September 06, 2012 12:00 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: SECURITY Digest - 4 Sep 2012 to 5 Sep 2012 (#2012-164) There is 1 message totalling 375 lines in this issue. Topics of the day: 1. Granting all users (or "a select few"??) administrative rights on their own computer systems?? ---------------------------------------------------------------------- Date: Wed, 5 Sep 2012 16:55:48 +0000 From: Chris Green <cmgreen () UAB EDU> Subject: Re: Granting all users (or "a select few"??) administrative rights on their own computer systems?? --_000_4F9FAD2892E4E04B82363B355F3FC64702730B9BUABEXMB1aduabed_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sounds like you are in a highly managed environment and the issue is respon= se time to install software. In places that have that culture, I've heard= "we were happy technology X allowed us to improve to a two week install ti= me" and places with admin rights on desktop "How do you survive politically= !#@?" Many of the application whitelist vendors try to have a happy medium that l= et's a central helpdesk get notice of software installs. If they permit it= , they can choose to permit it everywhere (such as some obscure line of bus= iness application) or just this one install. End user gets responsiveness = and theoretically you gain a two party control on all software installs. = One way we've handled it is managed desktops cost a certain rate per system= . If you have admin rights, we charge you more on the theory you'll have m= ore edge cases to support. I've only played enough in Whitelisting to suggest you really need somethin= g more than AppLocker in Windows 7 to pull it off in a home run fashion. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LIS= TSERV.EDUCAUSE.EDU] On Behalf Of SCHALIP, MICHAEL Sent: Friday, August 31, 2012 3:21 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Granting all users (or "a select few"??) administrative= rights on their own computer systems?? Hi folks..... Sorry if this is a re-hash of a very old subject, but - most of our users d= o NOT have administrative rights on their computers. A select few (outside= of our centralized IT organization) have what are termed "Z accounts" that= are separate user accounts that are issued to individuals that essentially= provide them with admin rights on their local systems, but - we've been tr= ying to keep these to a minimum. However - now that we are getting more an= d more update notifications for Adobe, Java, etc - the end user population = is demanding more and more access to their systems so that they can do thei= r own updates. Up until now - we have held that we (the IT organization) w= ould assist with any updates or software installations - and do so either a= t the desktop, or remotely through our Service Desk. We do a lot of remote= support via RDP and/or PCAnywhere and/or Altiris Deployment Solution. We're keenly aware of the potential risks that this presents, but - we're b= eing told that we have to pursue this direction - in some manner. From a s= upport perspective, the prevailing belief system is that when we relinquish= admin rights to the end users, the field tech workload will swing from "in= stalling updates and software" to "repairing and re-imaging systems".......= but, if that's the direction we're told to go, we'll do so without argument= .....(personally - I'm not opposed to it at all.....it's more the "support = policy" that concerns me.....;-) But, the bottom line is - we have to allow users (either in general, or in = a controlled group?), to install their own software - install their own pat= ches (ie, Adobe, Java, etc.). My question is: How do other colleges manage this? Do you give user's adm= in rights as a matter of course?.....or do you have a means of controlling = this? Do you continue to lock down the desktop such that most/all users do= not have admin rights?.....or do you allow them to configure their own sys= tems themselves, at their own risk? Without sounding too callous, I *came* from an environment where users *did= * have admin rights on their own systems - and for the most part, life was = uneventful *except* for the instances where a user would get themselves so = twisted up that when they did call for tech support - we basically told the= m that the 90% solution was to simply re-image their system for them. Data= backups were their responsibility - we'd re-image the OS and baseline soft= ware - install whatever additional software they could produce proof of lic= ensing for - and re-pointed them to their network data stores......and that= was about it. Again - it worked fairly well in a "Fed sector" environment= , but I'm not sure how well it would fly in a higher ed environment....?? Sorry this is so long-winded, but - curious to hear how everyone else handl= es this kind of situation..... Thanks, Michael -- This message has been scanned for viruses and dangerous content by MailScanner<http://www.mailscanner.info/>, and is believed to be clean. --_000_4F9FAD2892E4E04B82363B355F3FC64702730B9BUABEXMB1aduabed_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr= osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns:x=3D"urn:schemas-microsoft-com:office:excel" xmlns:m=3D"http://schema= s.microsoft.com/office/2004/12/omml" xmlns=3D"http://www.w3.org/TR/REC-html= 40"> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
<meta name=3D"Generator" content=3D"Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
h2
{mso-style-priority:9;
mso-style-link:"Heading 2 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:18.0pt;
font-family:"Times New Roman","serif";
font-weight:bold;}
h3
{mso-style-priority:9;
mso-style-link:"Heading 3 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:13.5pt;
font-family:"Times New Roman","serif";
font-weight:bold;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";} p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-priority:9;
mso-style-link:"Heading 2";
font-family:"Cambria","serif";
color:#4F81BD;
font-weight:bold;}
span.Heading3Char
{mso-style-name:"Heading 3 Char";
mso-style-priority:9;
mso-style-link:"Heading 3";
font-family:"Cambria","serif";
color:#4F81BD;
font-weight:bold;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle25
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" /> </xml><![endif]--><!--[if gte mso 9]><xml> <o:shapelayout
v:ext=3D"edit"> <o:idmap v:ext=3D"edit" data=3D"1" /> </o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"blue" vlink=3D"purple"> <div class=3D"WordSection1"> <p class=3D"MsoNormal"><span
style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif"">Sounds like you are in a highly managed= environment and the issue is response
time to install software.  = ; In places that have that culture, I’ve heard “we were happy t=
echnology X allowed us to improve to a two week install time” and places with = admin rights on desktop
“How do you survive politically!#@?”<o:=
p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif""><o:p> </o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif"">Many of the application whitelist vendo= rs try to have a happy medium that
let’s a central helpdesk get notic= e of software installs. If they permit it, they can choose to permit
it everywhere (such as some obscure line of business application) o= r just this one install. End user gets
responsiveness and theoretical= ly you gain a two party control on all software installs. One w= ay
we’ve handled it is managed desktops cost a certain rate per system. If you have admin rights, we charge
you mor= e on the theory you’ll have more edge cases to support.
<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif""><o:p> </o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif"">I’ve only played enough in Whitel= isting to suggest you really need
something more than AppLocker in Windows =
7 to pull it off in a home run fashion.<o:p></o:p></span></p> <p class=3D"MsoNormal"><span
style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif""><o:p> </o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif""><o:p> </o:p></span></p>
<div>
<div style=3D"border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in = 0in 0in"> <p class=3D"MsoNormal"><b><span
style=3D"font-size:10.0pt;font-family:"=
;Tahoma","sans-serif"">From:</span></b><span style=3D"font-s=
ize:10.0pt;font-family:"Tahoma","sans-serif""> The EDUC= AUSE Security Constituent Group Listserv
[mailto:SECURITY@LISTSERV.EDUCAUSE=
.EDU]
<b>On Behalf Of </b>SCHALIP, MICHAEL<br> <b>Sent:</b> Friday, August 31, 2012 3:21 PM<br> <b>To:</b> SECURITY ()
LISTSERV EDUCAUSE EDU<br>
<b>Subject:</b> [SECURITY] Granting all users (or "a select few"?=
?) administrative rights on their own computer systems??<o:p></o:p></span><= /p> </div> </div> <p
class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">Hi folks…..<o:p></o= :p></span></p> <p
class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">Sorry if this is a re-has= h of a very old subject, but – most
of our users do NOT have administ= rative rights on their computers. A select few (outside of our centralized IT
organization) have what are termed “Z accounts”= that are separate user accounts that are issued to
individuals that essent= ially provide them with admin rights on their local systems, but – we= ’ve been
trying to keep these to a minimum. However – now that we are getting more and more update notifications
for Ado= be, Java, etc – the end user population is demanding more and more ac= cess to their systems so that
they can do their own updates. Up until= now – we have held that we (the IT organization) would assist
with any updates or software installations – and do so = either at the desktop, or remotely through our Service
Desk. We do a = lot of remote support via RDP and/or PCAnywhere and/or Altiris Deployment S=
olution.<o:p></o:p></span></p> <p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">We’re keenly aware = of the potential risks that this presents,
but – we’re being to= ld that we have to pursue this direction – in some manner. From= a
support perspective, the prevailing belief system is that when we relinquish admin= rights to the end users, the
field tech workload will swing from “in= stalling updates and software” to “repairing and re-imaging
sys= tems”…….but, if that’s the direction we’re to= ld to go, we’ll do so without
argument…..(personally – I’= ;m not opposed to it at all…..it’s more the “support
poli= cy” that concerns me…..;-)<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">But, the bottom line is &= #8211; <b>we have to allow users (either
in general, or in a controlled group?), t= o install their own software – install their own patches (ie, Adobe, =
Java, etc.). <o:p></o:p></b></span></p> <p class=3D"MsoNormal"><b><span
style=3D"font-size:11.0pt;font-family:"=
;Calibri","sans-serif";color:#1F497D"><o:p> </o:p></spa=
n></b></p>
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:"=
;Calibri","sans-serif";color:#1F497D">My question is: = How do other colleges manage this?
Do you give user’s admin rig= hts as a matter of course?.....or do you have a means of controlling this?&= nbsp;
Do you continue to lock down the desktop such that most/all users do not h= ave admin rights?.....or do you allow them
to configure their own systems t= hemselves, at their own risk?<o:p></o:p></span></b></p> <p class=3D"MsoNormal"><span
style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">Without sounding too call= ous, I *<b>came</b>* from an environment
where users *<b>did</b>* have admi= n rights on their own systems – and for the most part, life was uneventful
*<b>except</b>* for the instances where a user would get th= emselves so twisted up that when they did call for tech
support – we = basically told them that the 90% solution was to simply re-image their syst= em for them.
Data backups were their responsibility – we’d re-image the OS and baseline software &#= 8211; install
whatever additional software they could produce proof of lice= nsing for – and re-pointed them to their network
data stores…&#= 8230;and that was about it. Again – it worked fairly well in a = “Fed
sector” environment, but I’m not sure how well it would fly in= a higher ed
environment….??<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">Sorry this is so long-win= ded, but – curious to hear how
everyone else handles this kind of sit= uation…..<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">Thanks,<o:p></o:p></span>=
</p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D"><o:p> </o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D">Michael<o:p></o:p></span>=
</p>
<p class=3D"MsoNormal"><br>
-- <br>
This message has been scanned for viruses and <br> dangerous content by <a
href=3D"http://www.mailscanner.info/";><b>MailScanne=
r</b></a>, and is
<br>
believed to be clean. <o:p></o:p></p>
</div>
</body>
</html>
--_000_4F9FAD2892E4E04B82363B355F3FC64702730B9BUABEXMB1aduabed_--
------------------------------
End of SECURITY Digest - 4 Sep 2012 to 5 Sep 2012 (#2012-164)
*************************************************************
Current thread:
- Re: Granting all users (or "a select few"??) administrative= rights on their own computer systems?? Durfee, Jeff (Sep 06)