Educause Security Discussion mailing list archives

Re: User Privilege Levels, The Sequel.

From: Karen Stopford <stopfordk () CT EDU>
Date: Thu, 26 Feb 2009 11:36:02 -0500

Michael's answer is probably a better solution than we had, but another option that works well in some settings is to 
create a global group, say "User Install," and put it in the Local Administrators group on each machine.  The user can 
be added and removed by using a modified install script.  This group may be used for other purposes as well, such as 
desktop support - or you can create another group - it gives you an audit trail and you don't have to use the Local 
Administrator account.
Karen

C. Karen Stopford, CISSP
Associate Executive Officer for I.T. Security
CT State University System
39 Woodland Street
Hartford, CT  06105
(860) 493-0116

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Stanclift, Michael
Sent: Thursday, February 26, 2009 10:09 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] User Privilege Levels, The Sequel.

We use Remote Desktop for times when they must login and Windows Remote Assistance with "Run As" if they can do it for 
the user. It's rare that they must actually go touch a machine to get something installed with this.

We also publish as much as we can with MSIs and group policy, and make them user installable if we need to.

Michael Stanclift
Network Analyst
Rockhurst University

http://help.rockhurst.edu
(816) 501-4231


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew 
Gracie
Sent: Thursday, February 26, 2009 9:05 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] User Privilege Levels, The Sequel.

First of all, thanks very much to the people who have responded to my
initial email about user privileges on their own desktops. We're
currently in an environment where _everyone_ is an admin, and you gave
me a lot of ammunition to justify buttoning that up.

A followup question -- some of the pushback against outfitting users
with User rights instead of Administrator has come from our support
group, who (understandably) don't want to make house calls every time
someone wants to check out a new piece of software.

What sort of methodology are people using to handle one-off software
requests? How is a request made, and what mechanism is used to get the
installation done?

Thanks for your input,

--Matt

--
Matt Gracie                         (716) 888-8378
Information Security Administrator  graciem () canisius edu
Canisius College ITS                Buffalo, NY
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

Current thread:

User Privilege Levels, The Sequel. Matthew Gracie (Feb 26)
- <Possible follow-ups>
- Re: User Privilege Levels, The Sequel. Stanclift, Michael (Feb 26)
- Re: User Privilege Levels, The Sequel. Karen Stopford (Feb 26)