Educause Security Discussion mailing list archives
Re: Updated criteria for allowing local admin privileges on workstations
From: Joel McKenzie <mckenzie () WCU EDU>
Date: Fri, 28 Feb 2020 13:49:54 +0000
We have recently pushed out a policy to our Win10 systems to force the user to enter their credentials when admin privs are needed (which I believe is on par with MacOS). This isn't perfect, but it does allow them to self-elevate w/o IT intervention and hopefully it gives them pause to wonder if they are being prompted for credentials for something they didn't initiate. The default setting was to just click a yes/no button when admin privs were required. -Joel P. McKenzie, MBA, CISSP -Chief Information Security Officer -Western Carolina University ________________________________ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of randy <marchany () VT EDU> Sent: Thursday, February 27, 2020 6:27 PM To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Updated criteria for allowing local admin privileges on workstations There are a couple of questions I've always wanted to ask whenever the local admin issue comes up. 1. What about BYOD? Everyone who brings their own device to your net has admin privileges. Has that caused problems in your campus? a. how many incidents were caused by someone having local admin privs vs. general user privs? #/semester? #/year. Based on these stats, is this a problem that needs to be addressed? 2. Phishing, ransomware, web drive-by attacks don't require admin privs to be destructive or disruptive. Ransomware damage can be "reduced" by carefully setting default file permissions. Of course, this is much easier to do in the Linux/Mac world than Windows. 3. Do you have a "training" requirement for those who need admin privs? Say someone wants admin privs for whatever reason. Do you say something like "sure, you have to take a 1-2hr training class on responsible admin practices first". I have an old gm buddy in one of the sciences who was ribbing me because her IT person refused to give her admin privs. I said "XXXX, you have a $700K analyzer in your lab. You wouldn't let me use it w/o training me on its proper use. :-) There's a HUGE advantage in training someone on basic admin priv practices. You get another set of eyes to help you spot incidents earlier. You can offload some support to the person. If they screw up, you note it in your report. Faculty the problem you say? I say so what? No faculty I know wants to be id'd as the cause of an incident. 4. Do you ask why a user wants admin privs? I'd be willing to bet that 90% of the time, they want admin privs because it takes too long to get their IT staff to install software or devices they need to do their job. I've seen cases where it could take up to 6 months to get the approvals to install software on a machine. How long does it take in your environment? Approved or not? If the IT process is too restrictive, does that force the user to bring in their own device so they can do their job? Is restricting admin privs an archaic "defense"? When hosts were "multi user" systems, an admin priv breached affect a LOT of people in 1 shot. It made perfect sense to be careful with admin priv accts. However, in today's single user/single machine environment, only 1 person is affected. Ah, but what about a sensitive data breach you say? How many data breaches were caused by an admin priv issue as opposed to a "user" issue? For large servers, yes, this situation warrants close examination but those cases are few. There are a number of similar "defenses" that were created literally 35-40 yrs ago (account lockouts, restricting admin privs, firewalls, etc.) that may cause worse problems in today's environment than the ones they're trying to solve. Usually there are compensating controls that are more responsive to today's compute environment. BYOD has changed the rules on admin privs. Metrics will help you justify your decision one way or the other. -Randy Marchany VA Tech IT Security Office & Lab From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Jim A. Bole Sent: Wednesday, February 26, 2020 4:18 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Updated criteria for allowing local admin privileges on workstations We’re reviewing what valid use cases there might be for giving someone local admin privileges on their workstation (PC or Mac). Currently we default to no admin rights. On Macs we are running Mojave and have just started using Jamf Pro. On PCs we are at Win10 and just starting to deploy InTune. I don’t’ think we haven’t fully leveraged these tools capabilities to allow users more flexibility with self-service apps, etc. I’m curious what typical cases folks are seeing for various groups of users (faculty, staff, etc.) that would require giving users full admin privileges. I did run across this thread from 2018: http://listserv.educause.edu/scripts/wa.exe?A2=SECURITY;6e798529.1808 Thanks. Jim Bole Director of Information Security Stevenson University 1525 Greenspring Valley Road Stevenson, MD, 21153-0641 jbole () stevenson edu<mailto:jbole () stevenson edu> | O: 443-334-2696 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Updated criteria for allowing local admin privileges on workstations Jim A. Bole (Feb 26)
- Re: Updated criteria for allowing local admin privileges on workstations Robert Berlinger (Feb 26)
- Re: Updated criteria for allowing local admin privileges on workstations Judith Tabron (Feb 27)
- Re: Updated criteria for allowing local admin privileges on workstations King, Ronald A. (Feb 27)
- Re: Updated criteria for allowing local admin privileges on workstations randy (Feb 27)
- Re: Updated criteria for allowing local admin privileges on workstations Joel McKenzie (Feb 28)
- Re: Updated criteria for allowing local admin privileges on workstations Beth Albertson (Mar 02)
- Re: Updated criteria for allowing local admin privileges on workstations randy (Feb 27)
- Re: Updated criteria for allowing local admin privileges on workstations Robert Berlinger (Feb 26)