Re: Updated criteria for allowing local admin privileges on workstations

[Judith Tabron <judith.tabron () GMAIL COM>]

I think Robert's policy is a good one, Jim, but I'd also say you're on the
right track if you want to more fully leverage management tools to segment
out machines that are not centrally managed. JAMF and InTune (I know
something about JAMF, nothing about InTune) might help you a bit, but you
also might want to put such users in their own Active Directory group for
different GPO management, and/or their own network.

I've had use cases where a researcher needs to use special software
(especially software that won't run unless it's root, ugh), but plenty of
those users don't have the technical wherewithal to manage their machine to
central office's standards. Finding a way to let them do what they have to
do while minimizing danger to the rest of the users/network and providing
them with a level of support that's inbetween fully-managed and hands-off
is necessary, I think.

Rooting for you,
Judith

On Wed, Feb 26, 2020 at 4:57 PM Robert Berlinger <Robert.Berlinger () cuny edu>
wrote:

> Hi Jim,
>
>
>
> I wrote a policy to put some structure around local admin approvals that
> you might find helpful:
>
>
>
>
> https://www.cuny.edu/wp-content/uploads/sites/4/page-assets/about/administration/offices/cis/information-security/security-policies-procedures/Local-Administrative-Privileges-2018-12-12.pdf
>
>
>
> *Robert N. Berlinger, CISSP*
>
> Chief Information Security Officer
>
> City University Of New York
>
> security.cuny.edu
>
>
>
>
>
>
>
> *From:* The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Jim A. Bole
> *Sent:* Wednesday, February 26, 2020 4:18 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] Updated criteria for allowing local admin
> privileges on workstations
>
>
>
> We’re reviewing what valid use cases there might be for giving someone
> local admin privileges on their workstation (PC or Mac).
>
>
>
> Currently we default to no admin rights. On Macs we are running Mojave and
> have just started using Jamf Pro. On PCs we are at Win10 and just starting
> to deploy InTune. I don’t’ think we haven’t fully leveraged these tools
> capabilities to allow users more flexibility with self-service apps, etc.
>
>
>
> I’m curious what typical cases folks are seeing for various groups of
> users (faculty, staff, etc.) that would require giving users full admin
> privileges.
>
>
>
> I did run across this thread from 2018:
>
>
>
> http://listserv.educause.edu/scripts/wa.exe?A2=SECURITY;6e798529.1808
>
>
>
> Thanks.
>
>
>
> Jim Bole
>
> Director of Information Security
>
> *Stevenson University*
>
> 1525 Greenspring Valley Road
>
> Stevenson, MD, 21153-0641
>
> jbole () stevenson edu | O: 443-334-2696
>
>
>
>
>
>
>
>
>
>
>
>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community