Educause Security Discussion mailing list archives
Re: User Privilege Levels, The Sequel.
From: Karen Stopford <stopfordk () CT EDU>
Date: Thu, 26 Feb 2009 11:36:02 -0500
Michael's answer is probably a better solution than we had, but another option that works well in some settings is to create a global group, say "User Install," and put it in the Local Administrators group on each machine. The user can be added and removed by using a modified install script. This group may be used for other purposes as well, such as desktop support - or you can create another group - it gives you an audit trail and you don't have to use the Local Administrator account. Karen C. Karen Stopford, CISSP Associate Executive Officer for I.T. Security CT State University System 39 Woodland Street Hartford, CT 06105 (860) 493-0116 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Stanclift, Michael Sent: Thursday, February 26, 2009 10:09 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] User Privilege Levels, The Sequel. We use Remote Desktop for times when they must login and Windows Remote Assistance with "Run As" if they can do it for the user. It's rare that they must actually go touch a machine to get something installed with this. We also publish as much as we can with MSIs and group policy, and make them user installable if we need to. Michael Stanclift Network Analyst Rockhurst University http://help.rockhurst.edu (816) 501-4231 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew Gracie Sent: Thursday, February 26, 2009 9:05 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] User Privilege Levels, The Sequel. First of all, thanks very much to the people who have responded to my initial email about user privileges on their own desktops. We're currently in an environment where _everyone_ is an admin, and you gave me a lot of ammunition to justify buttoning that up. A followup question -- some of the pushback against outfitting users with User rights instead of Administrator has come from our support group, who (understandably) don't want to make house calls every time someone wants to check out a new piece of software. What sort of methodology are people using to handle one-off software requests? How is a request made, and what mechanism is used to get the installation done? Thanks for your input, --Matt -- Matt Gracie (716) 888-8378 Information Security Administrator graciem () canisius edu Canisius College ITS Buffalo, NY http://www2.canisius.edu/~graciem/graciem_public_key.gpg
Current thread:
- User Privilege Levels, The Sequel. Matthew Gracie (Feb 26)
- <Possible follow-ups>
- Re: User Privilege Levels, The Sequel. Stanclift, Michael (Feb 26)
- Re: User Privilege Levels, The Sequel. Karen Stopford (Feb 26)