Educause Security Discussion mailing list archives

Re: Peeling off desktop Administrator Rights

From: "Stanclift, Michael" <michael.stanclift () ROCKHURST EDU>
Date: Mon, 7 Dec 2009 13:33:29 -0600

There is still a group, does it just not elevate access?

Michael Stanclift | Network Analyst | Computer Services
Rockhurst University | 1100 Rockhurst Road, Kansas City, MO 64110
Phone: 816.501.4231 | Fax: 816.501.4014 | http://help.rockhurst.edu 

Help keep our campus green, think before you print!
RUCS will never ask you for your password!

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric Case
Sent: Monday, December 07, 2009 1:31 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Peeling off desktop Administrator Rights

True, there is no "Power Users" group in Win 7.  If someone is a power user that can make themselves an admin.
-Eric


Eric Case, CISSP
eric (at) ericcase (dot) com
http://www.linkedin.com/in/ericcase

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv 
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dave Kovarik
Sent: Monday, December 07, 2009 10:19 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Peeling off desktop Administrator Rights

Randy has legit concerns, some of which we addressed at a corporation 
I worked at previously.
In addition to training, we removed Admin from most users and replaced 
that with a connection to Power User group which provided a fair 
amount of privilege without "giving away the store".  There were some 
exceptions but most (legit) software programs could be installed (at 
least that used to be the case - I've not tried this recently).  Note: 
this was a Win XP environment - I thought I read that the Power Users 
group was no longer available under Win 7.
I've also not tried this in the university environment.
- Dave
Dave Kovarik
NUIT-ISS/C
847-467-5930


randy marchany wrote:

I presume the primary reason for preventing local users from having 
admin rights on their desktops is to keep them from installing "evil"
software.

If this is so, then my question to the group is "how long does it

take

a desktop user to get a "legitimate" piece of software installed on 
their desktop? In other words, I have to use software package "A" to 
do my job. How long does it take for "A" to be installed on my 
desktop? My informal straw poll respondents noted the time range to

be

anywhere from 1 day to 2 weeks.This is completely shocking to me.
Now, if my boss is breathing down my neck to finish a project by 
tomorrow & I need software "A" to finish the project, I can't wait 
1-

days. The business process will trump this security process and a) I 
go up the mgt chain to get an exception b) I bring in my personal 
computer, load software "A" on it and get the job done.

So, I wonder why there has never been a survey with the question 
"How long does it take to install a software package on a user 
desktop if you restrict local admin rights?". This is the root cause 
of the "never ending battle" that I keep hearing about. If you make 
the user responsible for whatever they load on their machine AND 
enforce that, then what is the danger of letting them do so? Well, 
people with no local admin privs can still "infect" a machine by 
using their browser so once again, what do we accomplish by 
"preventing" them from

loading

software? Seems like nothing is accomplished, hence, the "never 
ending" battle.

Call me silly, but I think there is an end to this battle but we

don't

want to put in the effort to accomplish this. That end involves a) 
enforcing user responsibility for their actions b) give them basic 
training (you want to be able to install stuff, you have to sit in 
this training) c) speed up legit software install requests.

I keep hearing about this losing battle with the users so why not 
think of something radically different?

Just a thought for the holidays....

Randy Marchany
VA Tech IT Security Office

Current thread:

Re: Peeling off desktop Administrator Rights, (continued)
- Re: Peeling off desktop Administrator Rights randy marchany (Dec 07)
- Re: Peeling off desktop Administrator Rights Gary Dobbins (Dec 07)
- Re: Peeling off desktop Administrator Rights Dave Kovarik (Dec 07)
- Re: Peeling off desktop Administrator Rights Plesco, Todd (Dec 07)
- Re: Peeling off desktop Administrator Rights Iovino, Gabriel G (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights David Escalante (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights Stanclift, Michael (Dec 07)
- Re: Peeling off desktop Administrator Rights randy marchany (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights Flynn, Gerald (Dec 07)
- Re: Peeling off desktop Administrator Rights Flynn, Gerald (Dec 07)
- Re: Peeling off desktop Administrator Rights Flynn, Gerald (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights randy marchany (Dec 07)
- Re: Peeling off desktop Administrator Rights Flynn, Gerald (Dec 07)
- Re: Peeling off desktop Administrator Rights Eric Case (Dec 07)
- Re: Peeling off desktop Administrator Rights randy marchany (Dec 07)

(Thread continues...)