Re: Desktop Administrator Question

["Gramke, Jim" <JGramke () CSBSJU EDU>]

We tried very hard to take away admin rights on the desktops, or at least get users to run with a non-priv'd account, 
but in the end, it was deemed by the helpdesk people that it would create too many calls, and the plan was 
unceremoniously  vetoed.    The ability for everybody to install anything at any time for any reason is so deeply 
entrenched, that I think it's hard to muster the political courage to make a change.     Now we see that attitude bleed 
over into the mobile world as well.

If anybody has successfully removed admin rights, I'd love to hear some tales of strategy, and implementation.   Even 
just a procedure on how to handle when professor X needs to install applications Y on his desktop.


Jim Gramke
Acting IT Security Manager
College of St. Benedict | St. John's University

From: Steven Alexander [mailto:alexander.s () MCCD EDU]
Sent: Tuesday, January 31, 2012 5:34 PM
Subject: Re: Desktop Administrator Question

We are currently moving away from giving local admin rights to all users.  Everyone, including  system/network 
administrators should be operating with basic user privileges most of the time.  Client-side exploits are a major 
attack vector and many or most of them depend on users having admin privileges.

Regards,

Steven Alexander Jr.
Online Education Systems Manager
Merced College
3600 M Street
Merced, CA 95348-2898
(209) 384-6191
alexander.s () mccd edu<mailto:alexander.s () mccd edu>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Johnson, 
Jeff
Sent: Tuesday, January 31, 2012 3:13 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Desktop Administrator Question

Hello Everyone,

DePaul is currently evaluating how we have access rights and roles setup on desktop/laptop computers at the 
institution.  We currently give all employees administrator rights to their desktop computer.  Our understanding is 
that most institutes of higher education are offering employees of the institution administrator rights on their 
desktops, but we would like to validate this to satisfy some questions from some others (particularly internal audit 
folks).  As such, we were interested in gathering some more concrete data on this and have created a very short and 
simple (4 question) survey to capture this information.    We would very much appreciate your participation if you are 
able, and we will share the results for everyone via email (cleansing any personal information you choose to enter 
prior to doing so of course).  If you would rather pass this on to colleagues involved in desktop administration and 
support, that would also be most appreciated.

Here is a link to the survey:  http://depaul.qualtrics.com/SE/?SID=SV_6lNkqctZNQ5BZaI

Thank you so much for your help!

Regards,


Jeff Johnson
Infrastructure Support Manager,
Information Systems,
DePaul University