Educause Security Discussion mailing list archives
Re: Windows local admin in a .edu environment
From: Eric Case <ecase () EMAIL ARIZONA EDU>
Date: Wed, 30 Jan 2008 22:49:49 -0700
At 04:09 PM 1/30/2008 -0600, Hull, Dave wrote:
I have had some IT folks from other departments tell me that what we're doing in our department doesn't scale up because they would have to spend lots of time running around installing software for people. I've found the opposite is true, I spend much less time putting out fires caused by an ignorant user running as admin and so I have time to actually provide assistance when it's needed.
In the sprite of full disclosure, I am a huge proponent of least privilege. As Dave and other have stated, the investment in end user education will pay dividends in the areas of security and general IT management and maintenance. However, you might not expect the need to invest in your IT staff. That is what other IT departments mean when they say it "doesn't scale up because they would have to spend lots of time running around installing software for people." Their IT staff needs to learn to do many of those tasks remotely, even without remote desktop. Do they have the skills to push software, patches, upgrades to a desktop without going to the desktop? (Remote desktop doesn't count.) Do they have the tools, like psexec (they better, it's free), LANDesk, SMS, ZENworks, etc. to manage 80-100 desktops / help desk staff? Do you have the patience to manage your end users expectations? Take them from "I could have done it by now!" to "a four hour turnaround is ok." My point is, when you switch from supporting to managing* the desktops it takes a different IT skill set. -Eric *You cannot manage users with admin access anymore then you can herd cats (see <http://www.youtube.com/watch?v=Pk7yqlTMvp8> for more details). Eric Case, CISSP <ecase () Arizona edu> Information Security Officer College of Engineering <http://www.Engr.Arizona.edu> 1127 E James E. Rogers Way Room 200 Tucson, AZ 85721-0020 Mobile Phone 520-275-6436
Current thread:
- Windows local admin in a .edu environment Halliday,Paul (Jan 30)
- <Possible follow-ups>
- Re: Windows local admin in a .edu environment David Kovarik (Jan 30)
- Re: Windows local admin in a .edu environment Hull, Dave (Jan 30)
- Re: Windows local admin in a .edu environment Frank T. Shylkofski (Jan 30)
- Re: Windows local admin in a .edu environment Eric Case (Jan 30)
- Re: Windows local admin in a .edu environment Halliday,Paul (Jan 31)
- Re: Windows local admin in a .edu environment Gary Flynn (Jan 31)
- Re: Windows local admin in a .edu environment Jim Dillon (Jan 31)
- Re: Windows local admin in a .edu environment Steven Alexander (Jan 31)
- Re: Windows local admin in a .edu environment Ozzie Paez (Jan 31)
- Re: Windows local admin in a .edu environment Curt Wilson (Jan 31)