Educause Security Discussion mailing list archives
Re: Local Admin Access
From: Steven Alexander <steven.alexander () KCCD EDU>
Date: Fri, 14 May 2021 19:54:57 +0000
I missed this initially but since the thread is active now, I'll jump in. We are working to eliminate users running as local admin. For staff who truly need it, including IT staff, we create a secondary account with local admin rights. We are also in the process of rolling out LAPS and plan to have it implemented everywhere within the next few weeks. My concern isn't users abusing their privileges, it's that getting local admin is often a key step in compromising a domain. In particular, if you want to run mimikatz or another tool to dump credentials, you need local admin privileges. We're doing other things to protect against this (e.g. disabling Wdigest, using the protected users group) but local admin still matters. If regular users accounts have local admin, or if users are using a local admin account as their daily driver, it provides an attacker with a much easier pathway if they are successful in compromising those user's machines (they don't have to find a way to escalate). It's a mistake to look at local admin rights as affecting only the security of individual machines. Managing local admin rights is important for the security of the whole network/domain. Steven Alexander Director of IT Security Kern Community College District ________________________________ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Emilie Kunze <ekunze () AUSTINCC EDU> Sent: Wednesday, April 7, 2021 10:08 AM To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Local Admin Access We are curious how other institutions handle local admin access for faculty/staff? Thank you, Emilie [https://linkprotect.cudasvc.com/url?a=https%3a%2f%2flh5.googleusercontent.com%2f8TGVFPsiEyy3_TXFjMAe-lCBkyXwyGevnGxIvGdvcCw3hjOZXmPHYbmZT0pi_gZG5RkwAY-Hr0A_XFdoepzZEFuNDmYnRMqD-9ud3Hyk-fMTIXJpmQ2qt5M1SGUDHcrQ6M_D9CrN&c=E,1,WUrx__Jup0wGDrm-g8sot3WdCAeTiwf8HTpWvbMl4Fnpo9lf4WFm9kMuyeWCdY2kdQDafkwG7XB6Jmcs7YFJam2DB91tILEZ5tYy1xFCAjs,&typo=1]<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2faustincc.edu%2f&c=E,1,gKVH9FTo-lhK1-gU_tbpx5TuXDICwmJesRSmT0gjBD_PikfZplqW3f18jrtSAmN3pODAAumo_Rir6t5ZLRpYLXO3Tbc4kpDQMQFeVmUXW9B7pP1kwIz22w,,&typo=1> Emilie Kunze IT Security Analyst Sr. Acting Information Security Officer Office of Information Technology ekunze () austincc edu<mailto:ekunze () austincc edu> | o 512-223-1157 ACC Information Security<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fit.austincc.edu%2fdepartments%2finformation-security%2f&c=E,1,-0jT9_WAX6ICKufqi_zp-lMAE6mTxfM7J8czsYIaDRFd_m6C5C5jSuESewIZq-9gOX71D0YPXB34whZfvbsrfuVSvLYaBRy88GWtzh8rNrUaHhMEOFU,&typo=1> [https://linkprotect.cudasvc.com/url?a=https%3a%2f%2flh3.googleusercontent.com%2f3i9G30Fg3ZAiC3mZdiMpvQRradC3TjjCk-pdmKCGV_fzPcMSzNSQE7rf9y9DqgXUxJxxl35vf4rLx4n1kM_DpBsJJjbxv9EcmSmUwSHZdlZxsP2Dc_UngTyQv3pHCl6VhsG5Lfio&c=E,1,qv5kNrUnvte5w2AB0KBSyNoyg2-F3_Ee2OikT5C5CSDZiHKURlSNP-hB9fZFcWhYkdHnjDWJr8E8RA2W9ZE78fBMZjh7P8nKfXCyXCyaCOMh&typo=1] <https://www.facebook.com/accinfosec/> [https://linkprotect.cudasvc.com/url?a=https%3a%2f%2flh5.googleusercontent.com%2f-i9vIi5rgXE71dcrX6-3bGqGXXd0B3y8YE4Q25USF9da5jZ2Slz-TeACb7E26aea5om8HOq35WMxxecKyIBRBaAEAipDnYr8hice3MMzGl1G-l7r9tpbmZ8S_SCmCRsTJ8yWtK3l&c=E,1,xCVrLU-KrOnOTW6kQgCk8oe0SYR4eOh0YVZYFntpxCZaPmMOv9tuEgv0X2YpBicWjNGndc5IuxtCu_QrWZmB6Ii9yU3AvUgHPBAC1t9dTn8nqbaavddLKl4BxQ,,&typo=1] <https://twitter.com/ACCInfoSec> CONFIDENTIAL NOTICE This communication, including any attachments, may contain confidential information and is intended only for the individual or entity to which it is addressed. Any review, dissemination, or copying of this communication by anyone other than the intended recipient is strictly prohibited. If you are not the intended recipient, please contact the sender by reply e-mail, delete and destroy all copies of the original message. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.educause.edu%2fcommunity&c=E,1,GjxHaovsgcDbCMoMQsWpikNrWYW9cwN2sVXzAVfumLswfjVKCuFexME-c-Be43RJs6LwojP0XcQpnBi7Y-jc3BVN9SylwVB3faURSXwTJuZ4&typo=1> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Re: [External] [SECURITY] Local Admin Access, (continued)
- Re: [External] [SECURITY] Local Admin Access Gregg, Christopher S. (Apr 07)
- Re: [External] [SECURITY] Local Admin Access Andy Leffler (Apr 07)
- Re: [External] [SECURITY] Local Admin Access Kevin Ledbetter (Apr 07)
- Re: [External] [SECURITY] Local Admin Access John Ramsey (Apr 07)
- Re: [External] [SECURITY] Local Admin Access Rich Graves (Apr 07)
- Re: Local Admin Access Madl, Michael (May 09)
- Re: Local Admin Access Clark Gaylord (May 09)
- Message not available
- Re: Local Admin Access Clark Gaylord (May 14)
- Re: Local Admin Access Lovaas,Steven (May 14)
- Re: Local Admin Access Clark Gaylord (May 14)
- Re: Local Admin Access Clark Gaylord (May 14)
- Re: [External] [SECURITY] Local Admin Access Gregg, Christopher S. (Apr 07)
- Re: Local Admin Access Steven Alexander (May 14)
- Re: Local Admin Access Henry Wojteczko (May 16)