Educause Security Discussion mailing list archives
Re: Desktop Administrator Question
From: Steve Kuchta <skuchta () VCU EDU>
Date: Wed, 1 Feb 2012 15:39:28 -0500
We have been working with privilege-elevation software which allows us to remove admin privileges from users and setup a whitelist of installers and/or applications that when launched, the software temporarily grants admin rights to the user. While we are still in the roll-out process for this, feedback has been very positive so far. The tool we're using is called Viewfinity, but I believe there are other similar options out there.
With Viewfinity, there are a couple of ways of handling circumstances when users need to install software not on the whitelist. As we have it setup right now, a request comes into us for approval.
http://www.viewfinity.com/Products/PrivilegeManagement/Elevate-Privileges.aspx Thanks, Steve -- Steve Kuchta skuchta () vcu edu <mailto:skuchta () vcu edu> Information Security Manager Infrastructure and Client Services School of Medicine Technology Services http://go.vcu.edu/somtech ------------------------------------------------------------------------Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://go.vcu.edu/phishing.
------------------------------------------------------------------------ On 2/1/2012 2:32 PM, Gramke, Jim wrote:
We tried very hard to take away admin rights on the desktops, or at least get users to run with a non-priv'd account, but in the end, it was deemed by the helpdesk people that it would create too many calls, and the plan was unceremoniously vetoed. The ability for everybody to install anything at any time for any reason is so deeply entrenched, that I think it's hard to muster the political courage to make a change. Now we see that attitude bleed over into the mobile world as well.If anybody has successfully removed admin rights, I'd love to hear some tales of strategy, and implementation. Even just a procedure on how to handle when professor X needs to install applications Y on his desktop.Jim Gramke Acting IT Security Manager College of St. Benedict | St. John's University *From:*Steven Alexander [mailto:alexander.s () MCCD EDU] *Sent:* Tuesday, January 31, 2012 5:34 PM *Subject:* Re: Desktop Administrator QuestionWe are currently moving away from giving local admin rights to all users. Everyone, including system/network administrators should be operating with basic user privileges most of the time. Client-side exploits are a major attack vector and many or most of them depend on users having admin privileges.Regards, Steven Alexander Jr. Online Education Systems Manager Merced College 3600 M Street Merced, CA 95348-2898 (209) 384-6191 alexander.s () mccd edu <mailto:alexander.s () mccd edu>*From:*The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Johnson, Jeff*Sent:* Tuesday, January 31, 2012 3:13 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] Desktop Administrator Question Hello Everyone,DePaul is currently evaluating how we have access rights and roles setup on desktop/laptop computers at the institution. We currently give all employees administrator rights to their desktop computer. Our understanding is that most institutes of higher education are offering employees of the institution administrator rights on their desktops, but we would like to validate this to satisfy some questions from some others (particularly internal audit folks). As such, we were interested in gathering some more concrete data on this and have created a very short and simple (4 question) survey to capture this information. We would very much appreciate your participation if you are able, and we will share the results for everyone via email (cleansing any personal information you choose to enter prior to doing so of course). If you would rather pass this on to colleagues involved in desktop administration and support, that would also be most appreciated.Here is a link to the survey: http://depaul.qualtrics.com/SE/?SID=SV_6lNkqctZNQ5BZaIThank you so much for your help! Regards, Jeff Johnson Infrastructure Support Manager, Information Systems, DePaul University
Current thread:
- Re: Desktop Administrator Question, (continued)
- Re: Desktop Administrator Question Lazarus, Carolann (Feb 01)
- Re: Desktop Administrator Question Morrow Long (Feb 01)
- Re: Desktop Administrator Question Rich Graves (Feb 01)
- Re: Desktop Administrator Question Steven Alexander (Feb 01)
- Re: Desktop Administrator Question Kevin Shalla (Feb 02)
- Re: Desktop Administrator Question Johnson, Jeff (Feb 03)
- Re: Desktop Administrator Question Drews, Adam (Feb 02)
- Re: Desktop Administrator Question Johnson, Jeff (Feb 03)
- Re: Desktop Administrator Question Johnson, Jeff (Feb 17)
- Re: Desktop Administrator Question Gramke, Jim (Feb 01)
- Re: Desktop Administrator Question Steve Kuchta (Feb 01)