Office PCs and Admin Rights

Dennis,

We have the same policy at Dean College.

Please let me know if you have any questions or would like to discuss further.

Regards

Darrell K

At Keystone College, users do not have admin rights on workstations.  We have had occasion where technicians have given admin rights to “buddies” without authorization, and we subsequently found unlicensed software, junk software/malware, and/or problems that the users would not have run into had the machines’ configuration been protected.   The flip side of this policy is that we must respond quickly to any reasonable request for a software installation.  With Remote Assist and Runas, we can often take a phone call and do the install right then and there.  Or we grant admin rights to the user temporarily so they can do what they need to do.  Even in IT, we do not run our machines with admin rights all the time.  Each of us has a “normal user” account under which our Exchange mailboxes and other privileges are configured, and an “admin” user account that we only use for system maintenance tasks.

Because we have historically been more focused on teaching than research, this approach has worked in most cases.  We do, however, have a few faculty for whom our policy has created difficulties.  We have provided some “extra” workstations for research purposes, with relaxed security so the researcher can tinker – but they still retain an office PC for email and general office work.  VMware Player also presents an interesting method for offering a less controlled environment/sandbox without compromising anything else.

Cheers!

Charlie

We have taken a middle ground approach.  We have removed Admin Rights from users in “critical and public” areas (finance, bursar, registrar, financial aid, computer labs and the library, etc).  Other folks on campus still have their admin rights for now. The determination of who is restricted is related to the nature of the ERP data to which they have access.

Pardon me if this has already been asked…

I’m curious if other colleges and universities grant admin access to desktop or laptops owned and managed by the college and used by faculty or staff.  We currently install whatever they need for them and maintain an inventory of all software installed.  We track licensing etc.  We are hesitant to give people admin access to their machines, but more and more they want to be able to do installations to demo products, get updates that we may not have installed yet, etc.

Just wondering if we’re being overly restrictive.

Thanks for your feedback, Dennis

Good thread and on a related note, last month, the Australian Defence Signals Directorate identified four security controls that would protect against 85% of targeted attacks, and won the 2011 US National Cybersecurity Innovation Award. Here they

are:

1)            Patch applications such as PDF readers, Microsoft Office, Java, Flash Player and web browsers;

2)            Patch operating system vulnerabilities;

3)            Minimise the number of users with administrative privileges; and

4)            Use application whitelisting to help prevent malicious software and other unapproved programs from running.

See also http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm

Not that you need it, but this can go a long way in supporting your decision to not allow local admin privileges.

john

We do not provide administrative access to users unless they have a documented business need that requires it. Our policy is here - http://www.csuci.edu/it/itpolicy/BP-03-002-Admin-Access-Workstations.doc. In practice, we trust faculty members to determine this need on their own, so faculty requests are routinely granted – all others require a request signed by their supervisor. However, we provide a different service level to users with administrative access – basically, we do not troubleshoot software problems on computers when the user has admin access – we reimage. The SLA is here - http://www.csuci.edu/it/itpolicy/BP-03-002-Enclosure.doc.

Mike, I like your policy! It makes a lot of sense. Out of curiosity: What “ball park” percentage of faculty have asked for admin rights?