Re: Non-administrator advantages / disadvantages

[randy <marchany () VT EDU>]

What are we trying to prevent by restricting user from having admin privs?
If it's to keep people from downloading evil malware, I hate to tell you
this but the primary method of malware delivery is by web drive-bys where a
user simply visits a legit www site and the malware is loaded via an
infected ad. User downloads are probably a small % of the infection. So
here are some questions I believe need to be answered before one implements
an arbitrary security solution.

0. IMHO, restricting user privs arbitrarily is a response to an old attack
vector.  Similar to account lockouts, this was the ONLY defense about 5-10
years ago when there weren't additional controls. Make sure you're
addressing the right problem.
1. do you have stats that show the types of infections and their vectors at
your site? In other words, do your stats show that users with privs are the
primary cause of infection? If so, then it makes sense to restrict user
privs.
2. Use your stats to support your security decisions. If your stats show
that web drivebys are your primary source of infection then restricting
user privs won't make you any more secure.
3. How long does it take for a user to have software that they need for
their job installed on their machine? 2-4 hours? 2-4 days? 2-4 weeks? In
the SANS classes I've taught, I ask this question and the answers I get
back actually range from hours to weeks. I was shocked that it takes more
than a day to have software installed on a work machine. I'm not talking
about an aquarium screen saver. I'm talking about business software.
4. If you don't have a responsive software install process, your users will
bypass your security by simply installing the software they need on their
personal machine, copy the data to the machine and do their work. Now, your
chances of data exposure increase and you have a worse problem than the one
you were trying to solve.

So, I believe it's extremely important that you collect the appropriate
security stats before making a security decision.

Just my .02.

-Randy Marchany
VA Tech IT Security Office



On Fri, Nov 30, 2012 at 4:45 PM, Shalla, Kevin <kshalla () uic edu> wrote:

>  This is a disadvantage from the user’s perspective.  They want to do
> what they want to do when they want to do it.  I have to provide support
> and demonstrate value added.  It’s difficult to argue this: “I know you’re
> the administrator of your own computer at home, and it works for you, and
> nothing gets in your way, but here at work, we have to slow you down
> because it’s for your own good, and the good of the university.”  We’ve
> been short of staffing, but still striving towards automating software
> updates, but so far the only thing we’ve mastered is through group policy,
> which isn’t very reliable.  Further, Adobe and Java are frequently telling
> users to update, yet when they try, they are thwarted.  Thus, we have users
> questioning our value, and saying “Give me the keys, you guys are too slow”.
> ****
>
> ** **
>
> Kevin****
>
> ** **
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Morrow Long
> *Sent:* Tuesday, November 27, 2012 2:31 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Non-administrator advantages / disadvantages****
>
> ** **
>
> > Disadvantages****
>
> > User cannot install or update some software immediately – have to wait
> for desktop support.****
>
> ** **
>
> This is a disadvantage :-?****
>
> ** **
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [
> mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
> Behalf Of *Shalla, Kevin
> *Sent:* Tuesday, November 27, 2012 3:24 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] Non-administrator advantages / disadvantages****
>
> ** **
>
> I’m trying to highlight the advantages and disadvantages of prohibiting
> administrator access for users of Windows computers.  Can you provide
> feedback on what I have below?  By the way, what’s an example of software
> that is generally prohibited?  Is BitTorrent an example?  Is it common?***
> *
>
> ** **
>
> Advantages****
>
> Most malware stays on one user profile, so other users on same machine are
> unaffected.  Deleting the profile can remove the malware. Prohibited (by
> policy) software doesn’t get installed.  Combinations of software known to
> be problematic are not installed (like multiple active versions of
> antivirus).****
>
> ** **
>
> Disadvantages****
>
> User cannot install or update some software immediately – have to wait for
> desktop support.****
>
> ** **
>
> Kevin Shalla****
>
> ** **