Educause Security Discussion mailing list archives
Re: Non-administrator advantages / disadvantages
From: Christopher R Webber <christopher.webber () UCR EDU>
Date: Fri, 30 Nov 2012 22:00:16 +0000
I think the larger picture needs to be looked at: - Who are your clients? - What is your actual goal? - What do your users need? Frequently we get all huffy puffy about not being able to install software etc, but is that really a service to the "business?" My bet is you will need to find a balance. If you are managing a clerical worker that has a very distinct job, sure, lock it down (just make sure Freecell gets installed). If you are dealing with say a Resident Director or someone in Student Affairs, it may be a job requirement that they are able to play video games or can install software. It all depends. The typical BOFH attitude of CONTROL EVERYTHING ALL THE TIME needs to end. This is exactly why BYOD is winning, because even executives are tired of the stupid crap IT puts them through. </rant> -- cwebber Christopher Webber - Systems Administrator Bioinformatics Core - Institute for Integrative Genome Biology University of California, Riverside Twitter: @cwebber Tel: 951.867.7108 http://cwebber.ucr.edu On Nov 30, 2012, at 13:48 , "Shalla, Kevin" <kshalla () UIC EDU<mailto:kshalla () UIC EDU>> wrote: A few have admin rights now, and there’s a stampede by others to also get it, so we’re considering granting it to many others. Kevin From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<http://LISTSERV.EDUCAUSE.EDU>] On Behalf Of Steven Alexander Sent: Tuesday, November 27, 2012 3:00 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Non-administrator advantages / disadvantages Kevin, Most users don’t require anything above basic user privilege to do their jobs. If you give them administrator rights, you are giving up control of their machines. The users can install any software, bypass group policy and possibly gain domain admin rights (if a domain admin logs in to their machine). They will also be much more vulnerable to malware. Most malware requires administrator privilege for full functionality because admin rights are needed to install device drivers, put a network card into promiscuous mode or install a new service. Prohibited software can span a pretty wide range: games, P2P software, unlicensed/pirated software, personally owned software. You need to worry about performance/compatibility problems, security issues, copyright. What’s the context behind your question? Do your users have admin rights now? Are you considering granting or taking away admin rights for everyone or just some users? Regards, Steven Alexander Jr. Online Education Systems Manager Merced College 3600 M Street Merced, CA 95348-2898 (209) 384-6191 alexander.s () mccd edu<mailto:alexander.s () mccd edu> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shalla, Kevin Sent: Tuesday, November 27, 2012 12:24 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Non-administrator advantages / disadvantages I’m trying to highlight the advantages and disadvantages of prohibiting administrator access for users of Windows computers. Can you provide feedback on what I have below? By the way, what’s an example of software that is generally prohibited? Is BitTorrent an example? Is it common? Advantages Most malware stays on one user profile, so other users on same machine are unaffected. Deleting the profile can remove the malware. Prohibited (by policy) software doesn’t get installed. Combinations of software known to be problematic are not installed (like multiple active versions of antivirus). Disadvantages User cannot install or update some software immediately – have to wait for desktop support. Kevin Shalla
Current thread:
- Non-administrator advantages / disadvantages Shalla, Kevin (Nov 27)
- Re: Non-administrator advantages / disadvantages Morrow Long (Nov 27)
- Re: Non-administrator advantages / disadvantages Jason Gates (Nov 27)
- Re: Non-administrator advantages / disadvantages Shalla, Kevin (Nov 30)
- Re: Non-administrator advantages / disadvantages randy (Dec 02)
- Re: Non-administrator advantages / disadvantages Steven Alexander (Dec 03)
- Re: Non-administrator advantages / disadvantages Morrow Long (Nov 27)
- Re: Non-administrator advantages / disadvantages Steven Alexander (Nov 27)
- Re: Non-administrator advantages / disadvantages Shalla, Kevin (Nov 30)
- Re: Non-administrator advantages / disadvantages Christopher R Webber (Nov 30)
- Re: Non-administrator advantages / disadvantages Eric C. Lukens (Nov 30)
- Re: Non-administrator advantages / disadvantages Eric Case (Dec 01)
- Re: Non-administrator advantages / disadvantages Shalla, Kevin (Nov 30)
- <Possible follow-ups>
- Re: Non-administrator advantages / disadvantages Geoffrey Steven Nathan (Dec 01)
- Re: Non-administrator advantages / disadvantages Jeff Kell (Dec 01)
- Re: Non-administrator advantages / disadvantages Chuck Braden (Dec 01)
- Re: Non-administrator advantages / disadvantages Harry Hoffman (Dec 01)
- Re: Non-administrator advantages / disadvantages Eric Lukens (Dec 02)