Re: Updated criteria for allowing local admin privileges on workstations

[Robert Berlinger <Robert.Berlinger () CUNY EDU>]

Hi Jim,

I wrote a policy to put some structure around local admin approvals that you might find helpful:

https://www.cuny.edu/wp-content/uploads/sites/4/page-assets/about/administration/offices/cis/information-security/security-policies-procedures/Local-Administrative-Privileges-2018-12-12.pdf

Robert N. Berlinger, CISSP
Chief Information Security Officer
City University Of New York
security.cuny.edu



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jim A. Bole
Sent: Wednesday, February 26, 2020 4:18 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Updated criteria for allowing local admin privileges on workstations

We're reviewing what valid use cases there might be for giving someone local admin privileges on their workstation (PC 
or Mac).

Currently we default to no admin rights. On Macs we are running Mojave and have just started using Jamf Pro. On PCs we 
are at Win10 and just starting to deploy InTune. I don't' think we haven't fully leveraged these tools capabilities to 
allow users more flexibility with self-service apps, etc.

I'm curious what typical cases folks are seeing for various groups of users (faculty, staff, etc.) that would require 
giving users full admin privileges.

I did run across this thread from 2018:

http://listserv.educause.edu/scripts/wa.exe?A2=SECURITY;6e798529.1808

Thanks.

Jim Bole
Director of Information Security
Stevenson University
1525 Greenspring Valley Road
Stevenson, MD, 21153-0641
jbole () stevenson edu<mailto:jbole () stevenson edu> | O: 443-334-2696







**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community