Main Nav

Message from dthibeau@post03.curry.edu

Pardon me if this has already been asked…

 

I’m curious if other colleges and universities grant admin access to desktop or laptops owned and managed by the college and used by faculty or staff.  We currently install whatever they need for them and maintain an inventory of all software installed.  We track licensing etc.  We are hesitant to give people admin access to their machines, but more and more they want to be able to do installations to demo products, get updates that we may not have installed yet, etc.

 

Just wondering if we’re being overly restrictive.

 

Thanks for your feedback, Dennis

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

Dennis,
At ISU we grant such access campus wide.. Our external auditors have questioned it...but we calculated the cost to support folks if we had to respond everytime they needed something installed, changed, automatic updates done, etc,..it was a staggering number... but we also decided the risk of not getting anti-virus updates, windows patches, etc. outweighed the security of locking everyone down. There may be solutions to some of these problems, in a locked down environment, and we may have to revisit but for now folks can do what they want.
Randy

Dennis,

 

We have the same policy at Dean College.

 

Please let me know if you have any questions or would like to discuss further.

 

Regards

 

Darrell K

 

 

J.Darrell Kulesza

Vice President and Chief  Information Officer

Dean College

99 Main Street

Franklin MA 02038

 

Office: 508541 1864

Mobile: 781 856 6937

 

www.dean.edu

 

 

 

At Fairleigh Dickinson University we maintain some control of the staff/admin desktop images but give laptop users full Admin rights. Jim Lebo Asst. University Director Computing Services and Project Management . On Mon, 5 Dec 2011 17:01:04 -0500 "Thibeault, Dennis" wrote: > Pardon me if this has already been asked... > > I'm curious if other colleges and universities grant >admin access to desktop or laptops owned and managed by >the college and used by faculty or staff. We currently >install whatever they need for them and maintain an >inventory of all software installed. We track licensing >etc. We are hesitant to give people admin access to >their machines, but more and more they want to be able to >do installations to demo products, get updates that we >may not have installed yet, etc. > > Just wondering if we're being overly restrictive. > > Thanks for your feedback, Dennis > > ********** > Participation and subscription information for this >EDUCAUSE Constituent Group discussion list can be found >at http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
At Mitchell College we make everyone local admins … its was allot of work in the beginning but questions and issues have settled down and for the most part what everyone said they needed to be able to do (install software, act.) very few ever did. The cost to respond before was much higher …. ___________________________________ Charles Keeler Mitchell College Office of Information Technology Chief Technology Officer (860) 701-5254 From: Randy Gaines > Reply-To: EDUCAUSE Listserv > Date: Mon, 5 Dec 2011 17:06:08 -0500 To: EDUCAUSE Listserv > Subject: Re: [CIO] Office PCs and Admin Rights Dennis, At ISU we grant such access campus wide.. Our external auditors have questioned it...but we calculated the cost to support folks if we had to respond everytime they needed something installed, changed, automatic updates done, etc,..it was a staggering number... but we also decided the risk of not getting anti-virus updates, windows patches, etc. outweighed the security of locking everyone down. There may be solutions to some of these problems, in a locked down environment, and we may have to revisit but for now folks can do what they want. Randy
We grant users administrative access.
Associate Provost for Technology & Information Systems



Message from cloy.tobola@ndsu.edu

We grant admin rights to all users. However, on every machine we also set up a second admin account that is only accessible by IT staff. This allows us to work on a machine in an employee's absence or recover a lost password.

"Matthews, Rick" <matthews@WFU.EDU> wrote:

We grant users administrative access.
Associate Provost for Technology & Information Systems



At Keystone College, users do not have admin rights on workstations.  We have had occasion where technicians have given admin rights to “buddies” without authorization, and we subsequently found unlicensed software, junk software/malware, and/or problems that the users would not have run into had the machines’ configuration been protected.   The flip side of this policy is that we must respond quickly to any reasonable request for a software installation.  With Remote Assist and Runas, we can often take a phone call and do the install right then and there.  Or we grant admin rights to the user temporarily so they can do what they need to do.  Even in IT, we do not run our machines with admin rights all the time.  Each of us has a “normal user” account under which our Exchange mailboxes and other privileges are configured, and an “admin” user account that we only use for system maintenance tasks.

 

Because we have historically been more focused on teaching than research, this approach has worked in most cases.  We do, however, have a few faculty for whom our policy has created difficulties.  We have provided some “extra” workstations for research purposes, with relaxed security so the researcher can tinker – but they still retain an office PC for email and general office work.  VMware Player also presents an interesting method for offering a less controlled environment/sandbox without compromising anything else.

 

Cheers!

Charlie

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

We have taken a middle ground approach.  We have removed Admin Rights from users in “critical and public” areas (finance, bursar, registrar, financial aid, computer labs and the library, etc).  Other folks on campus still have their admin rights for now. The determination of who is restricted is related to the nature of the ERP data to which they have access.

 

 

Jerome F. Waldron, CIO

Salisbury University

Salisbury, MD  21801

410-546-6933

freshmantech.blogspot.com

 

"The people who are crazy enough to think they can change the world
are the ones who do."

-- Apple's "Think Different" Commercial, 1997

 

We do the same as Salisbury. We did a risk assessment and felt that finance, business IT (developers and analysts), HR, financial aid, registrar, student health, graduate school, and admissions were high risk areas because of the data they had on their computer or the types of transactions they did were at high risk if malware was inadvertently installed (such as a keylogger) A person can request an exception that must be approved by their director and a senior leader in IT. We generally require that for this to occur the computer must be running OSX or windows-8, have disk encryption, and the person has reviewed the SANS "securing the human element" training videos. Except for IT, we only had a few requests to be exempted. Most of IT has gone the Mac route. It does add to support efforts but was necessary to meet requirements from the auditors. jack suess, UMBC
Dennis,
 
At Franciscan University of Steubenville we do not give admin access to staff laptops and workstations as requested by our auditors.  We do allow admin access to faculty laptops.
 
Kevin G. Sebolt
Director, Office of Information Technology
Franciscan University of Steubenville
1235 University Blvd. Steubenville, Ohio 43952-1763
Phone:  740-284-5192
Fax:      740-284-7228
 
 


>>> "Thibeault, Dennis" <dthibeau@POST03.CURRY.EDU> 12/5/2011 5:01 PM >>>

Pardon me if this has already been asked…

 

I’m curious if other colleges and universities grant admin access to desktop or laptops owned and managed by the college and used by faculty or staff.  We currently install whatever they need for them and maintain an inventory of all software installed.  We track licensing etc.  We are hesitant to give people admin access to their machines, but more and more they want to be able to do installations to demo products, get updates that we may not have installed yet, etc.

 

Just wondering if we’re being overly restrictive.

 

Thanks for your feedback, Dennis

Scanned by for virus, malware and spam by SCM appliance

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Message from borkowse@union.edu

All staff in administrative offices do not have admin access to their machines due to the information they have access to. Faculty machines do not have this restriction. To help with some administrative offices, we have designated a "point person" who is given an admin password when they need to install something on their machines, but they must coordinate with their ITS point of contact on this and the password is changed after the installation is complete. Ellen -- Ellen Yu Borkowski Chief Information Officer Information Technology Services Union College 807 Union St. Schenectady, NY 12308 Office: 518.388.6293 Fax: 518.388.6470 Email: eyb@union.edu Web: http://its.union.edu From: "Thibeault, Dennis" > Reply-To: The EDUCAUSE CIO Constituent Group Listserv > Date: Mon, 5 Dec 2011 17:01:04 -0500 To: > Subject: [CIO] Office PCs and Admin Rights Pardon me if this has already been asked… I’m curious if other colleges and universities grant admin access to desktop or laptops owned and managed by the college and used by faculty or staff. We currently install whatever they need for them and maintain an inventory of all software installed. We track licensing etc. We are hesitant to give people admin access to their machines, but more and more they want to be able to do installations to demo products, get updates that we may not have installed yet, etc. Just wondering if we’re being overly restrictive. Thanks for your feedback, Dennis ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
At St. John's College we do not provide admin access to staff laptops and workstations. We do allow admin access to faculty laptops if requested. Anita L. Brown ITS Operations Manager St. John's College P.O. Box 2800 Annapolis, MD 21404-2800 410-626-2508 Anita.Brown@sjca.edu   Annapolis Help Desk email:      helpdesk@sjca.edu Annapolis Help Desk phone:   410-626-2892
At Wayne State we are considering removing admin rights from 'administrative and staff' computers, but not from faculty computers.
It will be interesting to see how this plays out nationally. I am personally skeptical as to whether the promised benefits turn out to be real in the long run, given how long it takes for desktop support to arrive at an office and the frequency with which Acrobat, Firefox and similar essential applications have pushed security-based updates.

Geoff Nathan

Geoffrey S. Nathan
Faculty Liaison, C&IT
and Professor, Linguistics Program
http://blogs.wayne.edu/proftech/
+1 (313) 577-1259 (C&IT)
+1 (313) 577-8621 (English/Linguistics)

Good thread and on a related note, last month, the Australian Defence Signals Directorate identified four security controls that would protect against 85% of targeted attacks, and won the 2011 US National Cybersecurity Innovation Award. Here they

are:

 

1)            Patch applications such as PDF readers, Microsoft Office, Java, Flash Player and web browsers;

2)            Patch operating system vulnerabilities;

3)            Minimise the number of users with administrative privileges; and

4)            Use application whitelisting to help prevent malicious software and other unapproved programs from running.

 

See also http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm

 

Not that you need it, but this can go a long way in supporting your decision to not allow local admin privileges.

 

john

 

 

Generally speaking we don't provide admin rights to anyone as a default configuration.  We have implemented a fairly robust group policy management system (Avecto) that covers almost all of the general needs for software updates and safe installs.  For those folks who need admin rights for other kinds of installs related to their teaching or research, we provide them with a local admin account.  They must request this account through our help desk.  There are a few domain accounts that have admin privileges.  Some will likely remain as the users have peculiar applications installed that will not work properly without admin rights.

This is a relatively new practice for us.  Previously, we had provided most users with admin rights on their domain accounts.  However, we had numerous repeated problems with malware and several other issues that the cost analysis favored removing admin rights.  As one might imagine a change of this sort caused a substantial uproar.  After extended consultation with various stakeholder groups we settled on the practice described above.  This seems to have helped us find a happy medium between security and flexibility.

______________________________________
Joseph Moreau
Chief Technology Officer
State University of New York at Oswego
509 Culkin Hall
7060 State Route 104
Oswego, NY  13126
joseph.moreau@oswego.edu
315-312-5500 office
315-806-2166 mobile
315-312-5799 fax
______________________________________


We do not provide administrative access to users unless they have a documented business need that requires it. Our policy is here - http://www.csuci.edu/it/itpolicy/BP-03-002-Admin-Access-Workstations.doc. In practice, we trust faculty members to determine this need on their own, so faculty requests are routinely granted – all others require a request signed by their supervisor. However, we provide a different service level to users with administrative access – basically, we do not troubleshoot software problems on computers when the user has admin access – we reimage. The SLA is here - http://www.csuci.edu/it/itpolicy/BP-03-002-Enclosure.doc.

 

Mike, I like your policy! It makes a lot of sense. Out of curiosity: What “ball park” percentage of faculty have asked for admin rights?

 

Thanks!

******************************************
Charlie Moran
Sr. Partner

1215 Hamilton Lane, Suite 200
Naperville, IL  60540
Toll-Free (877) 212-6379 (Voice & Fax)
Website: 
www.MoranTechnology.com
******************************************
P Please consider the environment before printing this email...

 

Dennis,

 

We do not generally grant admin rights.  Exceptions for those who use non-College provided software for their work (regardless if faculty or staff) are those have permission to do so from both their immediate supervisor and the ITS Dept lead/CIO

 

Regards,

 

Jim

 

James M. Dutcher - Chair - SUNY Council of CIOs

SUNY Cobleskill - CIO: PMP, CISSP, SCP/Security+, CISA

EMail : dutchejm@cobleskill.edu

EMail : jim@dutcher.net (personal)

Office: (518) 255-5809

Cell  : (518) 657-1056 (work)

Cell  : (607) 760-7455 (personal)

Skype : james_dutcher

http://www.cobleskill.edu

 

 

 

 

Dennis, At Geneseo we are working toward a concept we are calling the Principle of Least Privilege. When logged on with administrative privileges, there is much less protection against modifications being made by intruders to system setup and configurations on your local system. A review of all vulnerabilities documented in last year's Microsoft Security Bulletins shows that removing admin rights can mitigate the effects of 92 percent of critical Microsoft vulnerabilities. Our thinking is that anyone running the Windows operating system should avoid logging on for everyday use with an account that belongs to the Administrator’s group. 

The Principle of Least Privilege means that the user logs on with an account that has the minimum system privileges for everyday or routine activities, such as running web browsers or Microsoft Office or email programs. Our IT folks prefer to secure Windows systems by setting all daily use accounts to run with least privileges. The key is to log in as Administrator only when you need to install software or perform various other administrative tasks. It was the time the IT staff spend cleaning up the affects of malware and user frustration that caused us to take this route. We are setting up all new computers with Least Privilege and moving any computer that we work on to Least Privilege. The vast majority never need to be an admin and are happy to be having fewer problems. For the people that need admin rights to do something, they can login as an administrator for that function. -sue Susan E. Chichester Chief Information Officer & Director, CIT SUNY Geneseo South Hall 119, 1 College Circle Geneseo, NY 14454 email: sue@geneseo.edu phone: 585-245-5577 fax: 585-245-5579 Security Tip: Never share your password or login information with anyone, ever. CIT will never ask for it via email.
Close
Close


Connect: San Antonio
April 22–24
Register Now

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2015 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.