Educause Security Discussion mailing list archives
Re: Updated criteria for allowing local admin privileges on workstations
From: "King, Ronald A." <raking () NSU EDU>
Date: Thu, 27 Feb 2020 22:49:56 +0000
We are required to restrict admin access to only those supporting IT. For an academic lab that OIT does not maintain, we will grant the professor and/or lab attendant admin access. If a professor requests admin access to computer, we generally deny it. If it is a secondary machine dedicated to academic endeavors, like testing, development, or some special software, and not used for business, we will grant him or her admin access once they put this in writing on a request form we use. Other than that, if you don't support IT, you don't get admin. We have been doing that for ~15 years. Also, we use a separate admin account that requires annual renewal, and, if it not used with 30 days, we disable it automatically. Hope this helps. Ron Ronald King Director of Technical Services and OIT Security Office of Information Technology (757) 823-2916 (Office) raking () nsu edu<mailto:raking () nsu edu> www.nsu.edu<http://www.nsu.edu/> @NSUCISO (Twitter) [NSU_logo_horiz_tag_4c - Smaller] From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jim A. Bole Sent: Wednesday, February 26, 2020 4:18 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Updated criteria for allowing local admin privileges on workstations We're reviewing what valid use cases there might be for giving someone local admin privileges on their workstation (PC or Mac). Currently we default to no admin rights. On Macs we are running Mojave and have just started using Jamf Pro. On PCs we are at Win10 and just starting to deploy InTune. I don't' think we haven't fully leveraged these tools capabilities to allow users more flexibility with self-service apps, etc. I'm curious what typical cases folks are seeing for various groups of users (faculty, staff, etc.) that would require giving users full admin privileges. I did run across this thread from 2018: http://listserv.educause.edu/scripts/wa.exe?A2=SECURITY;6e798529.1808 Thanks. Jim Bole Director of Information Security Stevenson University 1525 Greenspring Valley Road Stevenson, MD, 21153-0641 jbole () stevenson edu<mailto:jbole () stevenson edu> | O: 443-334-2696 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Updated criteria for allowing local admin privileges on workstations Jim A. Bole (Feb 26)
- Re: Updated criteria for allowing local admin privileges on workstations Robert Berlinger (Feb 26)
- Re: Updated criteria for allowing local admin privileges on workstations Judith Tabron (Feb 27)
- Re: Updated criteria for allowing local admin privileges on workstations King, Ronald A. (Feb 27)
- Re: Updated criteria for allowing local admin privileges on workstations randy (Feb 27)
- Re: Updated criteria for allowing local admin privileges on workstations Joel McKenzie (Feb 28)
- Re: Updated criteria for allowing local admin privileges on workstations Beth Albertson (Mar 02)
- Re: Updated criteria for allowing local admin privileges on workstations randy (Feb 27)
- Re: Updated criteria for allowing local admin privileges on workstations Robert Berlinger (Feb 26)