Re: User Privilege Levels.

["Spransy, Derek" <DSPRANS () EMORY EDU>]

If a faculty or staff member feels that they require administrative rights on their computer(s), they fill out an 
exception form and sign an agreement that basically says that they won't abuse the privileges.  I review the request to 
see if there are workarounds (like giving their account full control permissions to a certain directory) or other 
alternative options.  If the request is approved then we will create a second local account and instruct them to use 
Run As.  

We had to take a slightly different approach with our research faculty.  Many of our labs use software that we don't 
support, and they do have legitimate needs for administrative rights.  In those cases we request that the PI sign the 
form along with one or two lab managers (if any) who might need admin privileges as well.  The rest of the members of 
the lab run as regular users.  Our primary goal is not to prevent software installation but to reduce the risks 
associated with running in a higher privilege context on a daily basis.  The process that we came up with seems, so 
far, to support both our objectives and those of the faculty.

-Derek

===========================
Derek Spransy
IT Security Lead
Emory College of Arts & Sciences
derek.spransy () emory edu
404-712-8798
===========================



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Harold 
Winshel
Sent: Tuesday, February 24, 2009 9:22 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] User Privilege Levels.

What kind of exception process do you have?

At 05:03 PM 2/24/2009, you wrote:
> A year ago we (College of Arts & Sciences at Emory) started the 
> process of not granting administrative rights to users by default, 
> and came up with an exception process for faculty and staff that 
> have a legitimate need for them.  We've had some faculty complain 
> about infringements on their academic freedom, (or a similar 
> argument) but there actually hasn't been a lot of that.  I've found 
> that most faculty understand the need when it's explained to 
> them.  Having an exception process gives us the means to provide 
> faculty with other alternatives, and it shows that we're willing to 
> work with them.
>
> I maintain metrics that track the number of security incidents that 
> we have per month and how much each of those incidents is costing 
> us.  I've also begun tracking whether or not possessing 
> administrative rights contributed to a security incident, and not 
> surprisingly, it does in the vast majority of cases. Faculty are 
> used to analyzing data, and having those kinds of figures helps to 
> explain the method behind the madness.
>
> -Derek
>
> ===========================
> Derek Spransy
> IT Security Lead
> Emory College of Arts & Sciences
> derek.spransy () emory edu
> 404-712-8798
> ===========================
>
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv 
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Karen Stopford
> Sent: Tuesday, February 24, 2009 4:32 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] User Privilege Levels.
>
> Have any of you run into resistance when trying to reduce 
> privileges, where faculty claims "academic freedom?"  Not a 
> technical question but a political one.  I am just wondering how you 
> might have handled it.  You can email me offline if you would like.
> Thanks,
> Karen
>
> C. Karen Stopford, CISSP
> Associate Executive Officer for I.T. Security
> CT State University System
> 39 Woodland Street
> Hartford, CT  06105
> (860) 493-0116
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv 
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jim Pollard
> Sent: Tuesday, February 24, 2009 12:12 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] User Privilege Levels.
>
> I can only speak from the department level but what we do is give everyone
> general user access and temporarily grant administrator access if necessary
> using group policy.  If administrator access is absolutely insisted upon we
> may permit it with the caveat that the user is responsible for ensuring
> security and receives limited support.
>
> ~Jim
>
> Jim Pollard
> Computer Systems Development Specialist
> Department of Biomedical Engineering
> University of Texas at Austin
> it () bme utexas edu
> 512.789.4345
>
> "The intelligent man is capable of overcoming problems and difficulties the
> wise man would have avoided in the first place."
>
> Rabbi Yusef Becher
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew Gracie
> Sent: Monday, February 23, 2009 9:46 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] User Privilege Levels.
>
> We're in the midst of planning a rollout to Active Directory for our end
> user authentication, and so we'll be joining all college-owned end user
> computers to the domain. I'm curious about privilege levels. What sort
> of access are other institutions giving their users to their computers?
>
> * Are your users granted Administrative power over their own machines?
>
> * Do you have a uniform level for all employees, or does it vary by
> position?
>
> * Can an employee move between schemes, applying for greater access
> after passing a security training test or some similar mechanism?
>
> Thanks for any replies. Feel free to respond off-list, if you like.
>
> --Matt
>
> --
> Matt Gracie                         (716) 888-8378
> Information Security Administrator  graciem () canisius edu
> Canisius College ITS                Buffalo, NY
> http://www2.canisius.edu/~graciem/graciem_public_key.gpg
>
> This e-mail message (including any attachments) is for the sole use of
> the intended recipient(s) and may contain confidential and privileged
> information.  If the reader of this message is not the intended
> recipient, you are hereby notified that any dissemination, distribution
> or copying of this message (including any attachments) is strictly
> prohibited.
>
> If you have received this message in error, please contact
> the sender by reply e-mail message and destroy all copies of the
> original message (including attachments).

Harold Winshel
Computing and Instructional Technologies
Rutgers Camden Arts & Sciences
311 N. 5th Street, Room B10
Camden NJ 08102
856.225.6669 (O)