Re: Restricting PC Admin Rights

["Barton, Robert W." <bartonrt () LEWISU EDU>]

I’ve been in on a few see-saw discussions on this topic.  The only positive reason not countered for forcing a password 
change, is that the likelihood of a user having a password that is the same as one of their outside accounts is far 
less.  The timing is up in the air though as to a good time frame.

Robert W. Barton
Director of Information Security
Lewis University
One University Parkway
Romeoville, IL  60446-2200
815-836-5663

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Burns, Denis
Sent: Monday, August 13, 2018 3:46 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Restricting PC Admin Rights

Thanks Roman – It is a good read for everyone within IT as well as executive leadership.  The comments on that article 
were insightful as well.

While I am in agreement with the article about most of the points, the one that they miss is that auditors are going to 
judge your organization off of their score sheets that may, or may not, reflect the best practices ‘of the moment’.  
While we all work to secure our environments from bad actors, the flip side of that coin is that we also make decisions 
and take actions to protect our jobs from internal and external auditors and their ‘findings’.

I wonder if anyone on-list has been through a PCI or HHS audit recently and what was determined about their PW stance?

-d

Denis Burns Information Security and Privacy Officer - College of Medicine - Florida State University
(850) 644-3648 – denis.burns () med fsu edu<mailto:denis.burns () med fsu edu>  *** Be a cyberhero! Build a safe 
cyberspace at Florida State. ***

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Simanovich, Roman
Sent: Monday, August 13, 2018 4:35 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Restricting PC Admin Rights

Frank,
FYI, good read.

https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes


Thanks,
Roman

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Burns, Denis
Sent: Monday, August 13, 2018 3:58 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Restricting PC Admin Rights

Hi Frank,

Happy to share some of the rationale offline.

While I petitioned for 60 days across the board, I will be happy to settle for either a slightly longer window with a 
complex PW, or much longer (1-2 year) with a passphrase.  We are working through the technical side to see if we can 
allow our customers t self op-in for the passphrase option or switch back and forth w/o technician assistance.  Also, 
trying to see if we can assign them to groups with different requirements (clinical staff versus EDU admin staff, etc.)

-d

Denis Burns Information Security and Privacy Officer - College of Medicine - Florida State University
(850) 644-3648 – denis.burns () med fsu edu<mailto:denis.burns () med fsu edu>  *** Be a cyberhero! Build a safe 
cyberspace at Florida State. ***

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Frank Barton
Sent: Monday, August 13, 2018 3:36 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Restricting PC Admin Rights

Denis... why the expiring passwords? and what time-frame are you using?

Frank

On Mon, Aug 13, 2018 at 3:14 PM, Burns, Denis <denis.burns () med fsu edu<mailto:denis.burns () med fsu edu>> wrote:
We are taking the “Never let a good crisis go to waste” methodology and are using another initiative to roll it to our 
customer base.

Everyone wants Windows 10, but we have been slow to adopt.  Now, all new images have standard user rights.  Many IT 
folks are issued a separate domain account with local admin rights *on their computer only* for dismissing UAC’s and 
running things elevated as needed.

For customer support, we use LAPS for technicians to elevate as needed on computers in the field (either remotely or in 
person).

We are about 70% through and should complete in the next 2 months; we have only met minimal pushback.  We also 
instituted a process for anyone to request software that involves leadership review/approval and deployment via 
Software Center for most products.

Next on deck for us, expiring passwords.

-d

Denis Burns Information Security and Privacy Officer - College of Medicine - Florida State University
(850) 644-3648 – denis.burns () med fsu edu<mailto:denis.burns () med fsu edu>  *** Be a cyberhero! Build a safe 
cyberspace at Florida State. ***

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Boyd, Daniel
Sent: Monday, August 13, 2018 2:36 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Restricting PC Admin Rights

I am about to take up this fight at my institution. I’ll also be closely watching this thread and would also appreciate 
any input on strategy and marketing that anyone can offer, as I am rather new at this job (only six weeks in and 
already going for the heavyweights…).

I would be glad to take any conversations offline and would report back a summary to the list, if anyone is interested.

Dan


Daniel H. Boyd (94C)
Director of Information Security
Office for Information Technology
Information Security Advisory Group Chair
Berry College
Phone: 706-236-1750
Fax:     706-238-5824

There are two rules to follow with your account passwords:
1. NEVER SHARE YOUR PASSWORDS WITH ANYONE (EVEN OIT!!!!)
2. If unsure, consult rule #1



From: Davis, Chris <CDavis () LOURDES EDU<mailto:CDavis () LOURDES EDU>>
Sent: Monday, August 13, 2018 12:03 PM
Subject: Re: [External Sender] [SECURITY] Restricting PC Admin Rights

For such an easy security measure, this always creates havoc.  On the IT side of things, so many things can be 
prevented with a least privilege model.  However, from the other side of the house, we always meet huge resistance 
because we are “taking away admin rights” from our users.

People feel like we don’t trust them.  And from a certain point of view that is right.  In the security world, we 
should not trust anyone.  But at the same time, the people I really don’t trust are those that are targeting our 
employees.  So, this is measure that gives some quick security at no cost, other than a change in the way our users do 
things.

I will be watching this thread closely.

Chris


Christopher Davis, Ph.D.
Chief Information Officer
Assistant Professor of Education
Apple Teacher
Lourdes University
6832 Convent Blvd<https://maps.google.com/?q=6832+Convent+Blvd&entry=gmail&source=g> | REH 003P | Sylvania, OH 43560
cdavis () lourdes edu<mailto:cdavis () lourdes edu>

CyberAware – Be aware. Stay Secure!
Lourdes University will never ask you to send sensitive information through unsecure channels. Report any message that 
asks you to provide or confirm personal information such as credit card and/or bank account numbers, Social Security 
numbers, passwords, etc. or any other suspicious activity to infosec () lourdes edu<mailto:infosec () lourdes edu>. For 
more information please visit lourdes.edu/cyberaware<http://lourdes.edu/cyberaware>.

CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) 
and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not 
the intended recipient of this message or their agent, or if this message has been addressed to you in error, please 
immediately alert the sender by reply email and then delete this message and any attachments. If you are not the 
intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its 
attachments is strictly prohibited.

On Aug 13, 2018, at 11:06 AM, Pardonek, Jim <jpardonek () LUC EDU<mailto:jpardonek () LUC EDU>> wrote:

Not sure if there is somewhere else I can get this info, I’m sure it’s been asked before, but I am checking to see how 
many of your institutions restrict admin rights.  We are putting a proposal together to leadership to do exactly that 
as we have had a number of folks fall for scams that involve the installation of software on their PCs.

Thanks,


James Pardonek, MS, CISSP, CEH, GSNA
Information Security Officer
Loyola University Chicago
1032 W. Sheridan Road | Chicago, 
IL<https://maps.google.com/?q=1032+W.+Sheridan+Road+%7C+Chicago,+IL+60660&entry=gmail&source=g>  
60660<https://maps.google.com/?q=1032+W.+Sheridan+Road+%7C+Chicago,+IL+60660&entry=gmail&source=g>

•: (773) 508-6086<tel:(773)%20508-6086>

Loyola University Chicago will never ask you for your username or password.
For the lastest information security news at Loyola, please follow us online,
Twitter: @LUCUISO
Facebook: https://www.facebook.com/lucuiso/
Our Blog http://blogs.luc.edu/uiso/




--
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University

This message (including any attachments) is intended only for
the use of the individual or entity to which it is addressed and
may contain information that is non-public, proprietary,
privileged, confidential, and exempt from disclosure under
applicable law or may constitute as attorney work product.
If you are not the intended recipient, you are hereby notified
that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this
communication in error, notify us immediately by telephone at (815)-836-5950 and
(i) destroy this message if a facsimile or (ii) delete this message
immediately if this is an electronic communication.

Thank you.