Re: Restricting PC Admin Rights

[Ronald King <ronald.king () MORGAN EDU>]

We restrict admin access to IT support personnel with IT support in their
job for those that want admin on administrative systems, such as those in
HR, Admissions, Bursar, etc. We use a form for all admin request. For
academic systems, such as in labs, we aren't as strict. The big reason we
were successful was resolving a state audit finding from 5 years ago. We
essentially ripped the band aid off and took some lumps from our customers.

We use SCCM for app distribution and are looking at options to grant temp
access via tools like Make Me Admin.

Ron

*Ronald A. King, CISSP*
Chief Information Security Officer
Morgan State University Office: (443) 885-3372
1700 E. Cold Spring Ln. Email: ronald.king () morgan edu
Baltimore, MD 21251 URL: http://www.morgan.edu

*Growing the future ... Leading the world*
<http://www.morgan.edu/Documents/ABOUT/StrategicPlan/StrategicPlan2011-21_Final.pdf>


On Tue, Aug 14, 2018 at 12:09 PM, Alex Lindstrom <aglind () udel edu> wrote:

> At the University of Delaware, we're increasing deployment of desktop
> management solutions that include admin account management alongside other
> controls like domain joining, app whitelisting, automated patching, and
> anti-virus.
>
> We pitch this as a value-add for the end users and their units because the
> management service automates many of the basic, essential security tasks
> they'd otherwise have to handle manually. The end result is that these
> tasks become transparent to end users: employees can continue about their
> business with minimal disruption (and that counts disruption from managing
> security settings as well as from incidents resulting from insufficient
> security). They just log in to their computers with their institutional
> credentials and they're good to go. If they notice anything unusual, we're
> just a phone call or an email away. The discussion isn't about trust vs
> lack thereof, it's about making lives easier *and* enhancing security
> while we're at it.
>
> Exceptions can be made for those users who have a need to retain admin
> account access, but it's not typically necessary. When an exception is
> made, the user gets a separate admin account on that machine for escalation
> when necessary, but they retain their normal user account for routine use.
>
> Our client support teams also receive and image new computers before they
> go out to end users; the employee receives a machine that's already set up
> with the essential business and security software.
>
>
> -----
>
> Alex Lindstrom
>
> IT Security Analyst II
> UD IT Security
>
> (302) 831-4823
> https://www.udel.edu/security/
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www1.udel.edu_security_&d=DwMFaQ&c=0CCt47_3RbNABITTvFzZbA&r=hF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs&m=TxNV2yzoVLbEWeVqvb7DRTyqQhGCvEMXWuFs5XLcrxg&s=JJYsibktb8Dsn8llaYtkUuEIPRR6UpVR68Qix3M5rco&e=>
>
> On Tue, Aug 14, 2018 at 11:43 AM, Gregg, Christopher S. <
> csgregg () stthomas edu> wrote:
>
> > Our admin access plan is very similar.  We flipped our default to no
> > admin access and require a business reason for the access.  We have
> > admittedly been somewhat lenient in accepting the reason, but we decided it
> > is more important to get everyone into a consistent model.  Before the new
> > policy, admin access was all over the board… some local machine accounts,
> > some domain accounts, some shared accounts, etc.  Even with a more lenient
> > approach we have significantly reduced the number of users with admin
> > access to the university managed machines, and those who do are using a
> > centrally managed account.
> >
> >
> >
> > We use LAPS as an in between step for those needing short term admin
> > access, we use the software center to allow people to install approved
> > software, and our support staff are able to use remote tools.  All of these
> > reduce the need for admin access.
> >
> >
> >
> > We received some push back when we rolled out the new policy two years
> > ago, but overall it has gone smoothly.
> >
> >
> >
> > Thanks,
> >
> >
> >
> > Chris
> >
> >
> >
> >
> >
> >
> >
> > *Chris Gregg*
> > Associate Vice President of Information Security & Risk Management, CISO
> > Information Technology Services (ITS)
> > csgregg () stthomas edu
> > p 1 (651) 962-6265
> > *University of St. Thomas* | stthomas.edu
> > <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.stthomas.edu&d=DwMFaQ&c=0CCt47_3RbNABITTvFzZbA&r=hF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs&m=TxNV2yzoVLbEWeVqvb7DRTyqQhGCvEMXWuFs5XLcrxg&s=NQbCs9Y52FCH7WvBlsQH7qtKJFwP0Lc2XEXrgSukk2k&e=>
> >
> >
> >
> >
> >
> >
> >
> > *From:* The EDUCAUSE Security Constituent Group Listserv <
> > SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Kevin Ledbetter
> > *Sent:* Monday, August 13, 2018 10:58 AM
> >
> > *To:* SECURITY () LISTSERV EDUCAUSE EDU
> > *Subject:* Re: [SECURITY] Restricting PC Admin Rights
> >
> >
> >
> > We have removed local admin privileges for most of our Non-IT users
> > accounts.  Where the department has specified a legitimate business need
> > for local admin rights, we have created a secondary admin account for
> > specific users.  We use the naming convention username.admin.  The only
> > time the user uses this account is to provide local admin credentials when
> > prompted by Windows. when they are installing/updating software.
> >
> >
> >
> > Kevin
> >
> >
> >
> > On Mon, Aug 13, 2018 at 10:40 AM, Jack Barrett <
> > jwbarrett () massasoit mass edu> wrote:
> >
> > We restrict admin rights. We allow admin rights if they sign a “Admin
> > Access Request” form. This needs to be signed by the employee’s supervisor
> > and approved by IT
> >
> >
> >
> > Jack Barrett
> >
> > Deputy CIO
> >
> > Massasoit Community College
> >
> > 508-588-9100 Ext 1146
> >
> >
> >
> > *Beware of “phishing” attempts for your username, and password,
> > Massasoit Community College will NEVER ask for your username and password
> > in an email. *
> >
> > *Think before you click!*
> >
> >
> >
> >
> >
> > *From:* The EDUCAUSE Security Constituent Group Listserv <
> > SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *McHugh, Susan
> > *Sent:* Monday, August 13, 2018 11:09 AM
> >
> >
> > *To:* SECURITY () LISTSERV EDUCAUSE EDU
> > *Subject:* Re: [SECURITY] Restricting PC Admin Rights
> >
> >
> >
> > We restrict admin rights.  We had the backing of the EVP when an
> > instructor downloaded the wrong software.  Employees were upset when they
> > lost their ability to change their desktop.
> >
> >
> >
> > ____________________
> > Susan McHugh
> > Chief Information Officer
> > Mount Wachusett Community College
> > s_mchugh () mwcc mass edu
> > 978-630-9174
> >
> >
> >
> >
> >
> > *From:* The EDUCAUSE Security Constituent Group Listserv <
> > SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Andrew Chiarello
> > *Sent:* Monday, August 13, 2018 11:08 AM
> > *To:* SECURITY () LISTSERV EDUCAUSE EDU
> > *Subject:* Re: [SECURITY] Restricting PC Admin Rights
> >
> >
> >
> > We do not restrict admin rights (and all proposals to do so have been
> > squelched before getting very far).
> >
> >
> >
> > Andrew J. Chiarello
> >
> > Lead Engineer, Infrastructure & Systems
> >
> > Bryn Mawr College
> >
> > achiarello () brynmawr edu
> >
> > (610) 526-7966
> > ------------------------------
> >
> > *From:* The EDUCAUSE Security Constituent Group Listserv <
> > SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Pardonek, Jim <
> > jpardonek () LUC EDU>
> > *Sent:* Monday, August 13, 2018 11:06:29 AM
> > *To:* SECURITY () LISTSERV EDUCAUSE EDU
> > *Subject:* [SECURITY] Restricting PC Admin Rights
> >
> >
> >
> > Not sure if there is somewhere else I can get this info, I’m sure it’s
> > been asked before, but I am checking to see how many of your institutions
> > restrict admin rights.  We are putting a proposal together to leadership to
> > do exactly that as we have had a number of folks fall for scams that
> > involve the installation of software on their PCs.
> >
> >
> >
> > Thanks,
> >
> >
> >
> >
> >
> > *James Pardonek, MS, CISSP, CEH, GSNA*
> >
> > *Information Security Officer*
> >
> >
> > * Loyola University Chicago  1032 W. Sheridan Road | Chicago, IL
> > <https://urldefense.proofpoint.com/v2/url?u=https-3A__na01.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fmaps.google.com-252F-253Fq-253D1032-252BW.-252BSheridan-252BRoad-252B-25257C-252BChicago-252C-252BIL-252B60660-2526entry-253Dgmail-2526source-253Dg-26data-3D02-257C01-257Ccsgregg-2540STTHOMAS.EDU-257Cae9bcab6dd3047a14edd08d60135a1a0-257Ca081ff79318c45ec95f338ebc2801472-257C1-257C0-257C636697727196952012-26sdata-3DBNy3-252FLZelPJECc4DR4MVDPUtxft-252BeWKlvvS9FQVuNK8-253D-26reserved-3D0&d=DwMFaQ&c=0CCt47_3RbNABITTvFzZbA&r=hF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs&m=TxNV2yzoVLbEWeVqvb7DRTyqQhGCvEMXWuFs5XLcrxg&s=x4yea8ha0mMwbumTe9YcJ_Ry3fEpJ4ragN7xliWvCrs&e=>
> > <https://maps.google.com/?q=1032%0A+W.+Sheridan+Road+%7C+Chicago,+IL+%C2%A0%C2%A0+60660&entry=gmail&source=g>60660
> > <https://urldefense.proofpoint.com/v2/url?u=https-3A__na01.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fmaps.google.com-252F-253Fq-253D1032-252BW.-252BSheridan-252BRoad-252B-25257C-252BChicago-252C-252BIL-252B60660-2526entry-253Dgmail-2526source-253Dg-26data-3D02-257C01-257Ccsgregg-2540STTHOMAS.EDU-257Cae9bcab6dd3047a14edd08d60135a1a0-257Ca081ff79318c45ec95f338ebc2801472-257C1-257C0-257C636697727196952012-26sdata-3DBNy3-252FLZelPJECc4DR4MVDPUtxft-252BeWKlvvS9FQVuNK8-253D-26reserved-3D0&d=DwMFaQ&c=0CCt47_3RbNABITTvFzZbA&r=hF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs&m=TxNV2yzoVLbEWeVqvb7DRTyqQhGCvEMXWuFs5XLcrxg&s=x4yea8ha0mMwbumTe9YcJ_Ry3fEpJ4ragN7xliWvCrs&e=>
> > *
> > * (**: (773) 508-6086*
> >
> >
> >
> > *Loyola University Chicago will never ask you for your username or
> > password.*
> >
> > *For the lastest information security news at Loyola, please follow us
> > online,*
> >
> > *Twitter: @LUCUISO*
> >
> > *Facebook: https://www.facebook.com/lucuiso/
> > <https://urldefense.proofpoint.com/v2/url?u=https-3A__na01.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.facebook.com-252Flucuiso-252F-26data-3D02-257C01-257Ccsgregg-2540STTHOMAS.EDU-257Cae9bcab6dd3047a14edd08d60135a1a0-257Ca081ff79318c45ec95f338ebc2801472-257C1-257C0-257C636697727196952012-26sdata-3DW9LzRQpq57wd1XrOSWx7mylTxgeCnIor-252B5bX08h0MPw-253D-26reserved-3D0&d=DwMFaQ&c=0CCt47_3RbNABITTvFzZbA&r=hF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs&m=TxNV2yzoVLbEWeVqvb7DRTyqQhGCvEMXWuFs5XLcrxg&s=tcFm3kwPP2KBa3D1q4Mby0cyX1lIBN6X0FlXvlR_mj8&e=>*
> >
> > *Our Blog http://blogs.luc.edu/uiso/
> > <https://urldefense.proofpoint.com/v2/url?u=https-3A__na01.safelinks.protection.outlook.com_-3Furl-3Dhttp-253A-252F-252Fblogs.luc.edu-252Fuiso-252F-26data-3D02-257C01-257Ccsgregg-2540STTHOMAS.EDU-257Cae9bcab6dd3047a14edd08d60135a1a0-257Ca081ff79318c45ec95f338ebc2801472-257C1-257C0-257C636697727196952012-26sdata-3DNDKGGQfSM3ogCxv6eFrJzOepTA0kONwG6oFee3GA5i0-253D-26reserved-3D0&d=DwMFaQ&c=0CCt47_3RbNABITTvFzZbA&r=hF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs&m=TxNV2yzoVLbEWeVqvb7DRTyqQhGCvEMXWuFs5XLcrxg&s=zWr-0yygklwsG-ElD3KFvGMavGfz-2drQlBYubv8xj8&e=>*
> >
> >
> >
> >
> >
> >
> >
> > --
> >
> > Kevin Ledbetter
> > Systems Security Administrator
> > Office of Information Technology
> > Valparaiso University
> > 1700 Chapel Drive
> > <https://urldefense.proofpoint.com/v2/url?u=https-3A__maps.google.com_-3Fq-3D1700-2BChapel-2BDrive-2B-250D-250AValparaiso-2C-2BIN-2B46383-26entry-3Dgmail-26source-3Dg&d=DwMFaQ&c=0CCt47_3RbNABITTvFzZbA&r=hF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs&m=TxNV2yzoVLbEWeVqvb7DRTyqQhGCvEMXWuFs5XLcrxg&s=5G7voCZ55R68QD_8HAblbMVPE1UawfNnZDuthCEXlPQ&e=>
> > Valparaiso, IN 46383
> > <https://maps.google.com/?q=1700+Chapel+Drive+%0AValparaiso,+IN+46383&entry=gmail&source=g>
> > 219.464.6191
> >
> > Staff Employee Advocacy Council
> >
> > University Council
> > Kevin.Ledbetter () valpo edu