Educause Security Discussion mailing list archives
Re: Restricting PC Admin Rights
From: "Barton, Robert W." <bartonrt () LEWISU EDU>
Date: Mon, 13 Aug 2018 20:58:20 +0000
I’ve been in on a few see-saw discussions on this topic. The only positive reason not countered for forcing a password change, is that the likelihood of a user having a password that is the same as one of their outside accounts is far less. The timing is up in the air though as to a good time frame. Robert W. Barton Director of Information Security Lewis University One University Parkway Romeoville, IL 60446-2200 815-836-5663 From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Burns, Denis Sent: Monday, August 13, 2018 3:46 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Restricting PC Admin Rights Thanks Roman – It is a good read for everyone within IT as well as executive leadership. The comments on that article were insightful as well. While I am in agreement with the article about most of the points, the one that they miss is that auditors are going to judge your organization off of their score sheets that may, or may not, reflect the best practices ‘of the moment’. While we all work to secure our environments from bad actors, the flip side of that coin is that we also make decisions and take actions to protect our jobs from internal and external auditors and their ‘findings’. I wonder if anyone on-list has been through a PCI or HHS audit recently and what was determined about their PW stance? -d Denis Burns Information Security and Privacy Officer - College of Medicine - Florida State University (850) 644-3648 – denis.burns () med fsu edu<mailto:denis.burns () med fsu edu> *** Be a cyberhero! Build a safe cyberspace at Florida State. *** From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Simanovich, Roman Sent: Monday, August 13, 2018 4:35 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Restricting PC Admin Rights Frank, FYI, good read. https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes Thanks, Roman From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Burns, Denis Sent: Monday, August 13, 2018 3:58 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Restricting PC Admin Rights Hi Frank, Happy to share some of the rationale offline. While I petitioned for 60 days across the board, I will be happy to settle for either a slightly longer window with a complex PW, or much longer (1-2 year) with a passphrase. We are working through the technical side to see if we can allow our customers t self op-in for the passphrase option or switch back and forth w/o technician assistance. Also, trying to see if we can assign them to groups with different requirements (clinical staff versus EDU admin staff, etc.) -d Denis Burns Information Security and Privacy Officer - College of Medicine - Florida State University (850) 644-3648 – denis.burns () med fsu edu<mailto:denis.burns () med fsu edu> *** Be a cyberhero! Build a safe cyberspace at Florida State. *** From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Frank Barton Sent: Monday, August 13, 2018 3:36 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Restricting PC Admin Rights Denis... why the expiring passwords? and what time-frame are you using? Frank On Mon, Aug 13, 2018 at 3:14 PM, Burns, Denis <denis.burns () med fsu edu<mailto:denis.burns () med fsu edu>> wrote: We are taking the “Never let a good crisis go to waste” methodology and are using another initiative to roll it to our customer base. Everyone wants Windows 10, but we have been slow to adopt. Now, all new images have standard user rights. Many IT folks are issued a separate domain account with local admin rights *on their computer only* for dismissing UAC’s and running things elevated as needed. For customer support, we use LAPS for technicians to elevate as needed on computers in the field (either remotely or in person). We are about 70% through and should complete in the next 2 months; we have only met minimal pushback. We also instituted a process for anyone to request software that involves leadership review/approval and deployment via Software Center for most products. Next on deck for us, expiring passwords. -d Denis Burns Information Security and Privacy Officer - College of Medicine - Florida State University (850) 644-3648 – denis.burns () med fsu edu<mailto:denis.burns () med fsu edu> *** Be a cyberhero! Build a safe cyberspace at Florida State. *** From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Boyd, Daniel Sent: Monday, August 13, 2018 2:36 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Restricting PC Admin Rights I am about to take up this fight at my institution. I’ll also be closely watching this thread and would also appreciate any input on strategy and marketing that anyone can offer, as I am rather new at this job (only six weeks in and already going for the heavyweights…). I would be glad to take any conversations offline and would report back a summary to the list, if anyone is interested. Dan Daniel H. Boyd (94C) Director of Information Security Office for Information Technology Information Security Advisory Group Chair Berry College Phone: 706-236-1750 Fax: 706-238-5824 There are two rules to follow with your account passwords: 1. NEVER SHARE YOUR PASSWORDS WITH ANYONE (EVEN OIT!!!!) 2. If unsure, consult rule #1 From: Davis, Chris <CDavis () LOURDES EDU<mailto:CDavis () LOURDES EDU>> Sent: Monday, August 13, 2018 12:03 PM Subject: Re: [External Sender] [SECURITY] Restricting PC Admin Rights For such an easy security measure, this always creates havoc. On the IT side of things, so many things can be prevented with a least privilege model. However, from the other side of the house, we always meet huge resistance because we are “taking away admin rights” from our users. People feel like we don’t trust them. And from a certain point of view that is right. In the security world, we should not trust anyone. But at the same time, the people I really don’t trust are those that are targeting our employees. So, this is measure that gives some quick security at no cost, other than a change in the way our users do things. I will be watching this thread closely. Chris Christopher Davis, Ph.D. Chief Information Officer Assistant Professor of Education Apple Teacher Lourdes University 6832 Convent Blvd<https://maps.google.com/?q=6832+Convent+Blvd&entry=gmail&source=g> | REH 003P | Sylvania, OH 43560 cdavis () lourdes edu<mailto:cdavis () lourdes edu> CyberAware – Be aware. Stay Secure! Lourdes University will never ask you to send sensitive information through unsecure channels. Report any message that asks you to provide or confirm personal information such as credit card and/or bank account numbers, Social Security numbers, passwords, etc. or any other suspicious activity to infosec () lourdes edu<mailto:infosec () lourdes edu>. For more information please visit lourdes.edu/cyberaware<http://lourdes.edu/cyberaware>. CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited. On Aug 13, 2018, at 11:06 AM, Pardonek, Jim <jpardonek () LUC EDU<mailto:jpardonek () LUC EDU>> wrote: Not sure if there is somewhere else I can get this info, I’m sure it’s been asked before, but I am checking to see how many of your institutions restrict admin rights. We are putting a proposal together to leadership to do exactly that as we have had a number of folks fall for scams that involve the installation of software on their PCs. Thanks, James Pardonek, MS, CISSP, CEH, GSNA Information Security Officer Loyola University Chicago 1032 W. Sheridan Road | Chicago, IL<https://maps.google.com/?q=1032+W.+Sheridan+Road+%7C+Chicago,+IL+60660&entry=gmail&source=g> 60660<https://maps.google.com/?q=1032+W.+Sheridan+Road+%7C+Chicago,+IL+60660&entry=gmail&source=g> •: (773) 508-6086<tel:(773)%20508-6086> Loyola University Chicago will never ask you for your username or password. For the lastest information security news at Loyola, please follow us online, Twitter: @LUCUISO Facebook: https://www.facebook.com/lucuiso/ Our Blog http://blogs.luc.edu/uiso/ -- Frank Barton, MBA Security+, ACMT, MCP IT Systems Administrator Husson University This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone at (815)-836-5950 and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
Current thread:
- Re: [External Sender] [SECURITY] Restricting PC Admin Rights, (continued)
- Re: [External Sender] [SECURITY] Restricting PC Admin Rights Frank Barton (Aug 13)
- Re: Restricting PC Admin Rights Madl, Michael (Aug 13)
- Re: Restricting PC Admin Rights Boyd, Daniel (Aug 13)
- Message not available
- Re: Restricting PC Admin Rights Richard Gould (Aug 13)
- Re: Restricting PC Admin Rights Frank Barton (Aug 13)
- Message not available
- Re: Restricting PC Admin Rights Burns, Denis (Aug 13)
- Re: Restricting PC Admin Rights Frank Barton (Aug 13)
- Re: Restricting PC Admin Rights Burns, Denis (Aug 13)
- Re: Restricting PC Admin Rights Simanovich, Roman (Aug 13)
- Re: Restricting PC Admin Rights Burns, Denis (Aug 13)
- Re: Restricting PC Admin Rights Barton, Robert W. (Aug 13)
- Re: Restricting PC Admin Rights randy (Aug 13)
- Re: Restricting PC Admin Rights Barton, Robert W. (Aug 13)
- Re: Restricting PC Admin Rights Barton, Robert W. (Aug 13)