Re: Lab Computers, Research & Administrative Rights

[Michael Schalip <MSchalip () SALUD UNM EDU>]

I'll put a plug in for DeepFreeze.  We used it for years in ~50 computer labs across the Albuquerque metro area.  It 
has a centralized console that can be segmented and shared.....and we were able to successfully integrate 
Symantec/Altiris (at the time) with DeepFreeze, (I think they dropped Altiris to move to something else?)  Overall - a 
good product, easy to maintain and relatively cheap....

Cheers....

Michael

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Menne, 
Michael S
Sent: Wednesday, June 06, 2018 8:13 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Lab Computers, Research & Administrative Rights

We use a product from Faronics called DeepFreeze. It keeps the machine in a steady state. Students, Faculty and Staff 
can have Administrative rights to the lab computers as long as DeepFreeze is loaded and enabled.  If the computer gets 
compromised (which hasn't happened very often), the computer is rebooted and the computer is clean again.  DeepFreeze 
allows for thaw periods (we set it for 2am-6am) so that patches can be applied.

For shared department computers, we do not allow administrative rights for students unless there is a request and a 
valid need. We have a few pieces of "lazy" software that require administrative rights.  In most cases, the software is 
just looking for permission to a directory that is otherwise restricted without administrative rights.  

Michael Menne, CISSP
Chief Information Security Officer
IT Solutions Information Security
Minnesota State University, Mankato
Phone:  (507) 389-5705
www.mnsu.edu/its/security
 

 
Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended 
recipient(s) and may contain confidential and privileged information.  Any unauthorized review, use, disclosure or 
distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply e-mail and 
destroy all copies of the original message.



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Hahues, Sven
Sent: Wednesday, June 6, 2018 9:08 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Lab Computers, Research & Administrative Rights

Hi everyone,

I wanted to find out if some of you could share what some of the approaches you have taken when handling shared 
computers, such as devices used in labs that are hooked up to research equipment where faculty/staff and students may 
need to have administrative rights.

We have been in the process of removing administrative rights, and if the computer is loaded by central IT, students do 
not have administrative rights.  We have been getting an increasing number of requests to allow for this to happen and 
are hesitant to do so.

Could you guys share some of your approaches?

Thanks,

Sven

Sven Hahues
Florida Gulf Coast University
Director, ITS Helpdesk, Network Services & Security
Tel: (239) 590 1337
E-Mail: shahues () fgcu edu