Re: Updated criteria for allowing local admin privileges on workstations

[Joel McKenzie <mckenzie () WCU EDU>]

We have recently pushed out a policy to our Win10 systems to force the user to enter their credentials when admin privs 
are needed (which I believe is on par with MacOS). This isn't perfect, but it does allow them to self-elevate w/o IT 
intervention and hopefully it gives them pause to wonder if they are being prompted for credentials for something they 
didn't initiate.  The default setting was to just click a yes/no button when admin privs were required.


-Joel P. McKenzie, MBA, CISSP
-Chief Information Security Officer
-Western Carolina University

________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of randy <marchany 
() VT EDU>
Sent: Thursday, February 27, 2020 6:27 PM
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Updated criteria for allowing local admin privileges on workstations

There are a couple of questions I've always wanted to ask whenever the local admin issue comes up.

1. What about BYOD? Everyone who brings their own device to your net has admin privileges. Has that caused problems in 
your campus?
   a. how many incidents were caused by someone having local admin privs vs. general user privs? #/semester? #/year. 
Based on these stats, is this a problem that needs to be addressed?
2. Phishing, ransomware, web drive-by attacks don't require admin privs to be destructive or disruptive. Ransomware 
damage can be "reduced" by carefully setting default file permissions. Of course, this is much easier to do in the 
Linux/Mac world than Windows.
3. Do you have a "training" requirement for those who need admin privs? Say someone wants admin privs for whatever 
reason. Do you say something like "sure, you have to take a 1-2hr training class on responsible admin practices first". 
I have an old gm buddy in one of the sciences who was ribbing me because her IT person refused to give her admin privs. 
I said "XXXX, you have a $700K analyzer in your lab. You wouldn't let me use it w/o training me on its proper use. :-) 
There's a HUGE advantage in training someone on basic admin priv practices. You get another set of eyes to help you 
spot incidents earlier. You can offload some support to the person. If they screw up, you note it in your report. 
Faculty the problem you say? I say so what? No faculty I know wants to be id'd as the cause of an incident.
4. Do you ask why a user wants admin privs? I'd be willing to bet that 90% of the time, they want admin privs because 
it takes too long to get their IT staff to install software or devices they need to do their job. I've seen cases where 
it could take up to 6 months to get the approvals to install software on a machine. How long does it take in your 
environment? Approved or not? If the IT process is too restrictive, does that force the user to bring in their own 
device so they can do their job?

Is restricting admin privs an archaic "defense"? When hosts were "multi user" systems, an admin priv breached affect a 
LOT of people in 1 shot. It made perfect sense to be careful with admin priv accts. However, in today's single 
user/single machine environment, only 1 person is affected. Ah, but what about a sensitive data breach you say? How 
many data breaches were caused by an admin priv issue as opposed to a "user" issue?  For large servers, yes, this 
situation warrants close examination but those cases are few. There are a number of similar "defenses" that were 
created literally 35-40 yrs ago (account lockouts, restricting admin privs, firewalls, etc.) that may cause worse 
problems in today's environment than the ones they're trying to solve. Usually there are compensating controls that are 
more responsive to today's compute environment.

BYOD has changed the rules on admin privs. Metrics will help you justify your decision one way or the other.

-Randy Marchany
VA Tech IT Security Office & Lab





From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Jim A. Bole
Sent: Wednesday, February 26, 2020 4:18 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Updated criteria for allowing local admin privileges on workstations



We’re reviewing what valid use cases there might be for giving someone local admin privileges on their workstation (PC 
or Mac).



Currently we default to no admin rights. On Macs we are running Mojave and have just started using Jamf Pro. On PCs we 
are at Win10 and just starting to deploy InTune. I don’t’ think we haven’t fully leveraged these tools capabilities to 
allow users more flexibility with self-service apps, etc.



I’m curious what typical cases folks are seeing for various groups of users (faculty, staff, etc.) that would require 
giving users full admin privileges.



I did run across this thread from 2018:



http://listserv.educause.edu/scripts/wa.exe?A2=SECURITY;6e798529.1808



Thanks.



Jim Bole

Director of Information Security

Stevenson University

1525 Greenspring Valley Road

Stevenson, MD, 21153-0641

jbole () stevenson edu<mailto:jbole () stevenson edu> | O: 443-334-2696













**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community