Educause Security Discussion mailing list archives
Re: Peeling off desktop Administrator Rights
From: Dave Kovarik <david-kovarik () NORTHWESTERN EDU>
Date: Mon, 7 Dec 2009 11:19:27 -0600
Randy has legit concerns, some of which we addressed at a corporation I worked at previously. In addition to training, we removed Admin from most users and replaced that with a connection to Power User group which provided a fair amount of privilege without "giving away the store". There were some exceptions but most (legit) software programs could be installed (at least that used to be the case - I've not tried this recently). Note: this was a Win XP environment - I thought I read that the Power Users group was no longer available under Win 7. I've also not tried this in the university environment. - Dave Dave Kovarik NUIT-ISS/C 847-467-5930 randy marchany wrote:
I presume the primary reason for preventing local users from having admin rights on their desktops is to keep them from installing "evil" software. If this is so, then my question to the group is "how long does it take a desktop user to get a "legitimate" piece of software installed on their desktop? In other words, I have to use software package "A" to do my job. How long does it take for "A" to be installed on my desktop? My informal straw poll respondents noted the time range to be anywhere from 1 day to 2 weeks.This is completely shocking to me. Now, if my boss is breathing down my neck to finish a project by tomorrow & I need software "A" to finish the project, I can't wait 1-7 days. The business process will trump this security process and a) I go up the mgt chain to get an exception b) I bring in my personal computer, load software "A" on it and get the job done. So, I wonder why there has never been a survey with the question "How long does it take to install a software package on a user desktop if you restrict local admin rights?". This is the root cause of the "never ending battle" that I keep hearing about. If you make the user responsible for whatever they load on their machine AND enforce that, then what is the danger of letting them do so? Well, people with no local admin privs can still "infect" a machine by using their browser so once again, what do we accomplish by "preventing" them from loading software? Seems like nothing is accomplished, hence, the "never ending" battle. Call me silly, but I think there is an end to this battle but we don't want to put in the effort to accomplish this. That end involves a) enforcing user responsibility for their actions b) give them basic training (you want to be able to install stuff, you have to sit in this training) c) speed up legit software install requests. I keep hearing about this losing battle with the users so why not think of something radically different? Just a thought for the holidays.... Randy Marchany VA Tech IT Security Office
Current thread:
- Re: Peeling off desktop Administrator Rights, (continued)
- Re: Peeling off desktop Administrator Rights Stanclift, Michael (Dec 04)
- Re: Peeling off desktop Administrator Rights Tupker, Mike (Dec 04)
- Re: Peeling off desktop Administrator Rights Stanclift, Michael (Dec 04)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 04)
- Re: Peeling off desktop Administrator Rights Plesco, Todd (Dec 04)
- Re: Peeling off desktop Administrator Rights Stanclift, Michael (Dec 05)
- Re: Peeling off desktop Administrator Rights Stanclift, Michael (Dec 07)
- Re: Peeling off desktop Administrator Rights Kevin Shalla (Dec 07)
- Re: Peeling off desktop Administrator Rights randy marchany (Dec 07)
- Re: Peeling off desktop Administrator Rights Gary Dobbins (Dec 07)
- Re: Peeling off desktop Administrator Rights Dave Kovarik (Dec 07)
- Re: Peeling off desktop Administrator Rights Plesco, Todd (Dec 07)
- Re: Peeling off desktop Administrator Rights Iovino, Gabriel G (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights David Escalante (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights Stanclift, Michael (Dec 07)
- Re: Peeling off desktop Administrator Rights randy marchany (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
(Thread continues...)