Educause Security Discussion mailing list archives

Re: The value of 'least privilege'

From: Eric Case <ecase () EMAIL ARIZONA EDU>
Date: Tue, 30 Mar 2010 09:02:02 -0700

Remote tools (remote assistance, SCCM, etc.) and third party tools like
ScriptLogic's Privilege Authority and BeyondTrust's Privilege Manager, can
bring the time to install an app down to minutes.

As for checking apps, just not running as admin can stop the browse by
hijacking and infection.  However, you are right; apps should be check and
added to an approved list and the install source should be placed in a
central location and installed from there, not from the media or download
the user "found."
-Eric


Eric Case, CISSP
eric (at) ericcase (dot) com
http://www.linkedin.com/in/ericcase

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of randy marchany
Sent: Tuesday, March 30, 2010 7:47 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] The value of 'least privilege'

While I agree that limiting administrative rights is a good thing,
sites need to answer accurately the following questions:

1. How long does it take your IT staff to install software that an end
user needs?
2. How long does it take your IT staff to check such software for
security issues? Presumably, this is the real reason why end user
aren't allowed to install software. If your IT staff doesn't check
software for security issues, they can make the same mistake. Do your
admins even check for security problems with vendor software? I
suspect it's not a thorough check.

If the answers to the above questions are "long" and an end user needs
the software ASAP (who doesn't?), then the end user will find ways to
bypass this restriction in order to get the job done. Having a timely
software installation process is critical to the success of this
security solution. No sysadmin can anticipate what software is needed
at any given point in time.

I'm curious to see what the answers are to the above questions. My
informal survey answers range from 1 day (ok) to 2 weeks (not ok).

-Randy Marchany
VA Tech IT Security Office

Current thread:

Re: The value of 'least privilege' Dexter Caldwell (Mar 30)
- <Possible follow-ups>
- The value of 'least privilege' Allison Dolan (Mar 30)
- Re: The value of 'least privilege' Mike Hanson (Mar 30)
- Re: The value of 'least privilege' randy marchany (Mar 30)
- Re: The value of 'least privilege' Eric Case (Mar 30)
- Re: The value of 'least privilege' Basgen, Brian (Mar 30)
- Re: The value of 'least privilege' Eric Case (Mar 30)
- Re: The value of 'least privilege' Sarazen, Daniel (Mar 30)
- Re: The value of 'least privilege' Jeffrey I. Schiller (Mar 30)
- Re: The value of 'least privilege' Matthew Wollenweber (Mar 30)
- Re: The value of 'least privilege' Howe, Joe (Mar 30)
- Re: The value of 'least privilege' Steve Werby (Mar 30)
- Re: The value of 'least privilege' randy marchany (Mar 30)