Educause Security Discussion mailing list archives

Re: Restricting PC Admin Rights

From: "Gregg, Christopher S." <csgregg () STTHOMAS EDU>
Date: Tue, 14 Aug 2018 15:43:00 +0000

Our admin access plan is very similar.  We flipped our default to no admin access and require a business reason for the 
access.  We have admittedly been somewhat lenient in accepting the reason, but we decided it is more important to get 
everyone into a consistent model.  Before the new policy, admin access was all over the board… some local machine 
accounts, some domain accounts, some shared accounts, etc.  Even with a more lenient approach we have significantly 
reduced the number of users with admin access to the university managed machines, and those who do are using a 
centrally managed account.

We use LAPS as an in between step for those needing short term admin access, we use the software center to allow people 
to install approved software, and our support staff are able to use remote tools.  All of these reduce the need for 
admin access.

We received some push back when we rolled out the new policy two years ago, but overall it has gone smoothly.

Thanks,

Chris



Chris Gregg
Associate Vice President of Information Security & Risk Management, CISO
Information Technology Services (ITS)
csgregg () stthomas edu<mailto:csgregg () stthomas edu>
p 1 (651) 962-6265
University of St. Thomas | stthomas.edu<https://www.stthomas.edu>



From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Kevin Ledbetter
Sent: Monday, August 13, 2018 10:58 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Restricting PC Admin Rights

We have removed local admin privileges for most of our Non-IT users accounts.  Where the department has specified a 
legitimate business need for local admin rights, we have created a secondary admin account for specific users.  We use 
the naming convention username.admin.  The only time the user uses this account is to provide local admin credentials 
when prompted by Windows. when they are installing/updating software.

Kevin

On Mon, Aug 13, 2018 at 10:40 AM, Jack Barrett <jwbarrett () massasoit mass edu<mailto:jwbarrett () massasoit mass 
edu>> wrote:
We restrict admin rights. We allow admin rights if they sign a “Admin Access Request” form. This needs to be signed by 
the employee’s supervisor and approved by IT

Jack Barrett
Deputy CIO
Massasoit Community College
508-588-9100 Ext 1146

Beware of “phishing” attempts for your username, and password,  Massasoit Community College will NEVER ask for your 
username and password in an email.
Think before you click!


From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of McHugh, Susan
Sent: Monday, August 13, 2018 11:09 AM

To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Restricting PC Admin Rights

We restrict admin rights.  We had the backing of the EVP when an instructor downloaded the wrong software.  Employees 
were upset when they lost their ability to change their desktop.

____________________
Susan McHugh
Chief Information Officer
Mount Wachusett Community College
s_mchugh () mwcc mass edu<mailto:s_mchugh () mwcc mass edu>
978-630-9174


From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Andrew Chiarello
Sent: Monday, August 13, 2018 11:08 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Restricting PC Admin Rights


We do not restrict admin rights (and all proposals to do so have been squelched before getting very far).



Andrew J. Chiarello

Lead Engineer, Infrastructure & Systems

Bryn Mawr College

achiarello () brynmawr edu<mailto:achiarello () brynmawr edu>

(610) 526-7966

________________________________
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Pardonek, Jim <jpardonek () LUC EDU<mailto:jpardonek () LUC EDU>>
Sent: Monday, August 13, 2018 11:06:29 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Restricting PC Admin Rights


Not sure if there is somewhere else I can get this info, I’m sure it’s been asked before, but I am checking to see how 
many of your institutions restrict admin rights.  We are putting a proposal together to leadership to do exactly that 
as we have had a number of folks fall for scams that involve the installation of software on their PCs.



Thanks,





James Pardonek, MS, CISSP, CEH, GSNA

Information Security Officer
Loyola University Chicago
1032 W. Sheridan Road | Chicago, 
IL<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmaps.google.com%2F%3Fq%3D1032%2BW.%2BSheridan%2BRoad%2B%257C%2BChicago%2C%2BIL%2B60660%26entry%3Dgmail%26source%3Dg&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cae9bcab6dd3047a14edd08d60135a1a0%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C636697727196952012&sdata=BNy3%2FLZelPJECc4DR4MVDPUtxft%2BeWKlvvS9FQVuNK8%3D&reserved=0>
  
60660<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmaps.google.com%2F%3Fq%3D1032%2BW.%2BSheridan%2BRoad%2B%257C%2BChicago%2C%2BIL%2B60660%26entry%3Dgmail%26source%3Dg&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cae9bcab6dd3047a14edd08d60135a1a0%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C636697727196952012&sdata=BNy3%2FLZelPJECc4DR4MVDPUtxft%2BeWKlvvS9FQVuNK8%3D&reserved=0>

•: (773) 508-6086



Loyola University Chicago will never ask you for your username or password.

For the lastest information security news at Loyola, please follow us online,

Twitter: @LUCUISO

Facebook: 
https://www.facebook.com/lucuiso/<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Flucuiso%2F&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cae9bcab6dd3047a14edd08d60135a1a0%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C636697727196952012&sdata=W9LzRQpq57wd1XrOSWx7mylTxgeCnIor%2B5bX08h0MPw%3D&reserved=0>

Our Blog 
http://blogs.luc.edu/uiso/<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fblogs.luc.edu%2Fuiso%2F&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cae9bcab6dd3047a14edd08d60135a1a0%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C636697727196952012&sdata=NDKGGQfSM3ogCxv6eFrJzOepTA0kONwG6oFee3GA5i0%3D&reserved=0>





--
Kevin Ledbetter
Systems Security Administrator
Office of Information Technology
Valparaiso University
1700 Chapel Drive
Valparaiso, IN 46383
219.464.6191
Staff Employee Advocacy Council
University Council
Kevin.Ledbetter () valpo edu<mailto:Kevin.Ledbetter () valpo edu>

Current thread:

Restricting PC Admin Rights Pardonek, Jim (Aug 13)
- Re: Restricting PC Admin Rights Andrew Chiarello (Aug 13)
  - Re: Restricting PC Admin Rights Barton, Robert W. (Aug 13)
    - Re: Restricting PC Admin Rights Andrew Chiarello (Aug 13)
    - Re: Restricting PC Admin Rights Gregory Keane (Aug 13)
  - Re: Restricting PC Admin Rights McHugh, Susan (Aug 13)
    - Re: Restricting PC Admin Rights Jack Barrett (Aug 13)
    - Re: Restricting PC Admin Rights Kevin Ledbetter (Aug 13)
    - Re: Restricting PC Admin Rights Gregg, Christopher S. (Aug 14)
    - Re: Restricting PC Admin Rights Alex Lindstrom (Aug 14)
    - Re: Restricting PC Admin Rights Ronald King (Aug 20)
- Re: Restricting PC Admin Rights WALTER KERNER (Aug 13)
- Re: Restricting PC Admin Rights Simanovich, Roman (Aug 13)
- Re: Restricting PC Admin Rights Joanna Grama (Aug 13)
- Re: Restricting PC Admin Rights Seymour, Patrick (Aug 13)
- Re: [External Sender] [SECURITY] Restricting PC Admin Rights Davis, Chris (Aug 13)
  - Re: [External Sender] [SECURITY] Restricting PC Admin Rights Frank Barton (Aug 13)
- Re: Restricting PC Admin Rights Madl, Michael (Aug 13)
- <Possible follow-ups>
- Re: Restricting PC Admin Rights Boyd, Daniel (Aug 13)

(Thread continues...)