Main Nav

Message from jjohns86@depaul.edu

Hello Everyone,

 

DePaul is currently evaluating how we have access rights and roles setup on desktop/laptop computers at the institution.  We currently give all employees administrator rights to their desktop computer.  Our understanding is that most institutes of higher education are offering employees of the institution administrator rights on their desktops, but we would like to validate this to satisfy some questions from some others (particularly internal audit folks).  As such, we were interested in gathering some more concrete data on this and have created a very short and simple (4 question) survey to capture this information.    We would very much appreciate your participation if you are able, and we will share the results for everyone via email (cleansing any personal information you choose to enter prior to doing so of course).  If you would rather pass this on to colleagues involved in desktop administration and support, that would also be most appreciated. 

 

Here is a link to the survey:  http://depaul.qualtrics.com/SE/?SID=SV_6lNkqctZNQ5BZaI 

 

Thank you so much for your help!

 

Regards,

 

 

Jeff Johnson

Infrastructure Support Manager,

Information Systems,

DePaul University

 

Comments

Message from alexander.s@mccd.edu

We are currently moving away from giving local admin rights to all users.  Everyone, including  system/network administrators should be operating with basic user privileges most of the time.  Client-side exploits are a major attack vector and many or most of them depend on users having admin privileges. 

 

Regards,

 

Steven Alexander Jr.

Online Education Systems Manager

Merced College

3600 M Street

Merced, CA 95348-2898

(209) 384-6191

alexander.s@mccd.edu

 

Hi, I looked at your survey and I would suggest that you add a qualifier to your third question. We allow administrative access UNLESS the desktop is used to process university sensitive information - so the answer is not yes or no, but it depends. Thanks, Joel Rosenblatt Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel Public PGP key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3 --On Tuesday, January 31, 2012 11:12 PM +0000 "Johnson, Jeff" wrote: > Hello Everyone, > > DePaul is currently evaluating how we have access rights and roles setup on desktop/laptop computers at the institution. We currently give all employees > administrator rights to their desktop computer. Our understanding is that most institutes of higher education are offering employees of the institution > administrator rights on their desktops, but we would like to validate this to satisfy some questions from some others (particularly internal audit folks). > As such, we were interested in gathering some more concrete data on this and have created a very short and simple (4 question) survey to capture this > information. We would very much appreciate your participation if you are able, and we will share the results for everyone via email (cleansing any > personal information you choose to enter prior to doing so of course). If you would rather pass this on to colleagues involved in desktop administration and > support, that would also be most appreciated. > > Here is a link to the survey: http://depaul.qualtrics.com/SE/?SID=SV_6lNkqctZNQ5BZaI > > Thank you so much for your help! > > Regards, > > > Jeff Johnson > Infrastructure Support Manager, > Information Systems, > DePaul University > Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel Public PGP key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
Same here. I have admin access, but I had to request it. We have moved away from it because of the risks. So some users have it and some don't. So I answered the third question yes, but I'm not sure that was the information you really wanted. Carolann G Lazarus, CISA IT Auditor lazarus@buffalo.edu 716-829-6947
We also could not use the standard survey form -- we've removed administrative access from all computer users/owners (Windows and MacOS) in the HIPAA-covered components as well as other areas with highly confidential data. Morrow
We're yet another special case that doesn't fit your questions:

On our Windows 7 desktops, which are now the majority, nobody is a local administrator.

However, all staff/faculty set (but many forget) a personal .\admin account and password, different for every machine, that they are instructed to use for software installation and system administration only. The .\admin account is blocked from domain resources, so there is no incentive to use it for anything but UAC elevation prompts. Help desk techs use a domain account whose password changes twice daily. For offline access, the built-in Administrator account is set to a random value and submitted to a web service which stores it GPG-encrypted.

So, we get privilege separation against  malware; a UAC speed-bump encouraging some consideration before software installation; two forms of help desk access without password sharing; but no enforcement of policy against unsactioned software.
--
Rich Graves http://claimid.com/rcgraves
Carleton.edu Sr UNIX and Security Admin
CMC135: 507-222-7079 Cell: 952-292-6529
Message from alexander.s@mccd.edu

“Help desk techs use a domain account whose password changes twice daily”

 

How are you handling that?

 

Regards,

 

Steven Alexander Jr.

Online Education Systems Manager

Merced College

3600 M Street

Merced, CA 95348-2898

(209) 384-6191

alexander.s@mccd.edu

 


  ­­  

We tried very hard to take away admin rights on the desktops, or at least get users to run with a non-priv’d account, but in the end, it was deemed by the helpdesk people that it would create too many calls, and the plan was unceremoniously  vetoed.    The ability for everybody to install anything at any time for any reason is so deeply entrenched, that I think it’s hard to muster the political courage to make a change.     Now we see that attitude bleed over into the mobile world as well.

 

If anybody has successfully removed admin rights, I’d love to hear some tales of strategy, and implementation.   Even just a procedure on how to handle when professor X needs to install applications Y on his desktop.    

 

Jim Gramke

Acting IT Security Manager

College of St. Benedict | St. John’s University

 

Message from skuchta@vcu.edu

We have been working with privilege-elevation software which allows us to remove admin privileges from users and setup a whitelist of installers and/or applications that when launched, the software temporarily grants admin rights to the user. While we are still in the roll-out process for this, feedback has been very positive so far. The tool we're using is called Viewfinity, but I believe there are other similar options out there.

With Viewfinity, there are a couple of ways of handling circumstances when users need to install software not on the whitelist. As we have it setup right now, a request comes into us for approval.

http://www.viewfinity.com/Products/PrivilegeManagement/Elevate-Privileges.aspx

Thanks,
Steve

--
Steve Kuchta
skuchta@vcu.edu
Information Security Manager
Infrastructure and Client Services
School of Medicine Technology Services
http://go.vcu.edu/somtech

Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://go.vcu.edu/phishing.

On 2/1/2012 2:32 PM, Gramke, Jim wrote:

We tried very hard to take away admin rights on the desktops, or at least get users to run with a non-priv’d account, but in the end, it was deemed by the helpdesk people that it would create too many calls, and the plan was unceremoniously  vetoed.    The ability for everybody to install anything at any time for any reason is so deeply entrenched, that I think it’s hard to muster the political courage to make a change.     Now we see that attitude bleed over into the mobile world as well.

 

If anybody has successfully removed admin rights, I’d love to hear some tales of strategy, and implementation.   Even just a procedure on how to handle when professor X needs to install applications Y on his desktop.    

 

Jim Gramke

Acting IT Security Manager

College of St. Benedict | St. John’s University

 

Here at UIC, individual departments decide this.  I decided no admin rights for mine (with a few exceptions) - about 170 desktops.

On 1/31/2012 5:12 PM, Johnson, Jeff wrote:

Hello Everyone,

 

DePaul is currently evaluating how we have access rights and roles setup on desktop/laptop computers at the institution.  We currently give all employees administrator rights to their desktop computer.  Our understanding is that most institutes of higher education are offering employees of the institution administrator rights on their desktops, but we would like to validate this to satisfy some questions from some others (particularly internal audit folks).  As such, we were interested in gathering some more concrete data on this and have created a very short and simple (4 question) survey to capture this information.    We would very much appreciate your participation if you are able, and we will share the results for everyone via email (cleansing any personal information you choose to enter prior to doing so of course).  If you would rather pass this on to colleagues involved in desktop administration and support, that would also be most appreciated. 

 

Here is a link to the survey:  http://depaul.qualtrics.com/SE/?SID=SV_6lNkqctZNQ5BZaI 

 

Thank you so much for your help!

 

Regards,

 

 

Jeff Johnson

Infrastructure Support Manager,

Information Systems,

DePaul University

 

Message from adrews@jjc.edu

Jeff,

Much like many others on this list, I answered "yes" to question 3 on your survey because we do allow admin access to staff and faculty.  However, that access is only given after they fill out a request form and have it approved by management.  I would say less than 5% of our users have admin on their workstations.

Adam
Message from jjohns86@depaul.edu

Thanks Kevin….will add to the details when I publish the results. 

 

Message from jjohns86@depaul.edu

Thanks for the feedback Adam….I will add this to the results when I publish.

 

Regards,

 

Jeff

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Drews, Adam
Sent: Thursday, February 02, 2012 12:01 PM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Desktop Administrator Question

 

Jeff,

 

Much like many others on this list, I answered "yes" to question 3 on your survey because we do allow admin access to staff and faculty.  However, that access is only given after they fill out a request form and have it approved by management.  I would say less than 5% of our users have admin on their workstations.

 

Adam

Message from jjohns86@depaul.edu

So I wanted to follow up on this request we’d made a few weeks ago.  Thanks so much to everyone who provided some feedback on this.  As many have pointed out, the survey we had put up was very simple, and didn’t give the responder much leeway on the question of whether they give administrator access, and since there are many different variants here (e.g. “yes, we give admin access but not to certain users”, etc.), I got quite a few follow ups from folks with those caveats.  I have tried my best to add them into the second worksheet of the attached Excel sheet.  I also did not add personal contact info for those responders who were so generous to offer follow-ups, since I wasn’t sure if people wanted to share that information publicly.  Therefore, if you want to get additional details from the contributors, please follow up and request it to the list-serv directly. 

 

So without further ado, attached is a spreadsheet breaking down the responses in Excel 2010 format.  If people want this in another format, please reply and I will see what I can do. 

 

Thanks again everyone!

 

Jeff

 

 

 

Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.