Re: Peeling off desktop Administrator Rights

["Stanclift, Michael" <michael.stanclift () ROCKHURST EDU>]

It's been my view that removing administrative rights is not only about preventing malware installs, it's also about 
limiting the liability our campus has in terms of legal issues from software being installed that we don't own, to use 
of P2P software on campus systems, etc.

The idea that users need administrative access to their computer or that they somehow have a right to it is wrong in my 
opinion. When I go into my office, I have services provided to me by other departments on campus that I do not have 
full control over. If I need a light bulb replaced in my office, do I have a key to go do it myself or do I just call 
Physical Plant and have them come over? Sure it'd be faster and probably easier for plant to just go take care of it 
myself. I know I'm massively over simplifying things here, but you see my point.

Just because you can give someone full access to a machine, and they're used to it at home, doesn't mean they should 
have that access at work. I have full access to the thermostat at home (well, I take that back... my wife does... I'm 
just a user there too) but I can't just go adjusting the HVAC system at work how I want.

We make as much software as possible that we've preapproved user-installable through Group Policy Software Deployment 
and soon though System Center once we have that up and running. Our staff maintains a repository of approved software 
installs that require us to do it, so when the user cannot do it themselves it only takes us a few minutes. We have 
very easy to use remote access software and can usually get stuff installed for them within 24 hours, if not as soon as 
they call in.


Michael Stanclift
Network Analyst
Rockhurst University

http://help.rockhurst.edu
(816) 501-4231

PThink before you print!
________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of randy marchany 
[marchany () VT EDU]
Sent: Monday, December 07, 2009 4:42 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Peeling off desktop Administrator Rights

It's been very interesting to see the different scenarios that you
guys have for delegating some priv set to general users. But, IMHO,
all of these don't address the real issue: how long does it take for a
general user to get a software package installed on their desktop if
you don't allow them to do it themselves? Hours? Days? Weeks?

As a long time sysadmin (25+ years) I've beginning to think that we
(sysadmins) are more of the problem than the users because we set up
environments that make address OUR needs/likes and not so much the
user requirements. That model dooms a site to failure, I think.  The
"original" purpose of these restrictions was to prevent users from
downloading malware/trojans  that were embedded in "cute" programs
like aquarium backgrounds, etc. So, the sysadmin in me says "no, no,
no, you can't do that" but we never built an efficient mechanism to
allow a user to download what THEY need to do THEIR job.  I know one
of the reasons why I went down this path was because there was only 1
of me and 10K users. 2 events would overwhelm my response
capabilities. The attack vectors have changed. Now, malware gets
inserted on a desktop without any active user intervention other than
surfing the www and having malware downloaded to their desktop which
is the very thing we tried to prevent with our "no local admin
rights". So, are we going to ban www surfing? Doesn't that impact the
business process? Imagine if we sysadmins aren't allowed to surf sites
like sourceforge, packetstormsecurity, etc. If that happens, then our
job becomes much more difficult.

 I look at some depts here on campus who let their users install
whatever software they want and I don't see any significant increase
in bad events happening in those environments. This leads to me
question how effective was the user ban?

That's why I'm curious to see how long it takes from the time a user
requests a software package to be installed on their desktop to the
time it actually gets installed. I think you'll see what I'm talking
about when we look at the responses.

-r.