Re: Non-administrator advantages / disadvantages

[Geoffrey Steven Nathan <geoffnathan () WAYNE EDU>]

I will agree with Kevin here. My wife is a high-level administrator here, and often has to act very quickly on tricky 
personnel issues. When someone sends her a pdf related (say) to an emergency dismissal and her Acrobat insists on an 
update NOW, the last thing she needs is to submit a support ticket and wait a couple of days before she can read the 
file. This kind of thing happens more often than we might think (well, maybe not the emergency dismissal), but the 
notion that IT support student workers' time is more valuable than the Vice President's time, so we need to hold up 
their work to minimize IT support costs needs to be discussed with all parties involved. 
And yes, there may be tools that will make such updates automatic, or make remote updating trivial, but actually 
implementing those tools still seems a long way off. 
Just my 2c worth. 

Geoff 

Geoffrey S. Nathan 
Faculty Liaison and IT Policy Coordinator, C&IT 
and Professor, Linguistics Program 
http://blogs.wayne.edu/proftech/ 
+1 (313) 577-1259 (C&IT) 

----- Original Message -----

> From: "Kevin Shalla" <kshalla () UIC EDU>
> Sent: Friday, November 30, 2012 4:48:38 PM
> Subject: Re: Non-administrator advantages / disadvantages

> A few have admin rights now, and there’s a stampede by others to also
> get it, so we’re considering granting it to many others.

> Kevin

> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Steven
> Alexander
> Sent: Tuesday, November 27, 2012 3:00 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Non-administrator advantages / disadvantages

> Kevin,

> Most users don’t require anything above basic user privilege to do
> their jobs. If you give them administrator rights, you are giving up
> control of their machines. The users can install any software,
> bypass group policy and possibly gain domain admin rights (if a
> domain admin logs in to their machine). They will also be much more
> vulnerable to malware. Most malware requires administrator privilege
> for full functionality because admin rights are needed to install
> device drivers, put a network card into promiscuous mode or install
> a new service.

> Prohibited software can span a pretty wide range: games, P2P
> software, unlicensed/pirated software, personally owned software.
> You need to worry about performance/compatibility problems, security
> issues, copyright.

> What’s the context behind your question? Do your users have admin
> rights now? Are you considering granting or taking away admin rights
> for everyone or just some users?

> Regards,

> Steven Alexander Jr.
> Online Education Systems Manager
> Merced College
> 3600 M Street
> Merced, CA 95348-2898
> (209) 384-6191
> alexander.s () mccd edu

> From: The EDUCAUSE Security Constituent Group Listserv [
> mailto:SECURITY () LISTSERV EDUCAUSE EDU ] On Behalf Of Shalla, Kevin
> Sent: Tuesday, November 27, 2012 12:24 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Non-administrator advantages / disadvantages

> I’m trying to highlight the advantages and disadvantages of
> prohibiting administrator access for users of Windows computers. Can
> you provide feedback on what I have below? By the way, what’s an
> example of software that is generally prohibited? Is BitTorrent an
> example? Is it common?

> Advantages
> Most malware stays on one user profile, so other users on same
> machine are unaffected. Deleting the profile can remove the malware.
> Prohibited (by policy) software doesn’t get installed. Combinations
> of software known to be problematic are not installed (like multiple
> active versions of antivirus).

> Disadvantages
> User cannot install or update some software immediately – have to
> wait for desktop support.

> Kevin Shalla

> ­­