Conferences & Events
Events for all Levels and InterestsStay
Jump Start Your Career GrowthStay
Get on the Higher Ed IT MapStay
Uncommon Thinking for the Common Good™Stay
Granting all users (or "a select few"??) administrative= rights on their own computer systems??
This is a topic of ongoing interest here as well. We have just reached the 1 year mark to a more managed environment where we restrict access to local administrator accounts. It has been, as pretty much everyone can guess or knows from experience, painful politically. We have a good process for handling exception requests in place that involves a review board consisting of an administrative staff member, a faculty member and an appointee of the Provost. Requests are reviewed and generally acted upon in less than a week unless there is a need to seek more information (some of the submitted justifications are sketchy or do not contain enough information). Our major challenge has been the number of folks who seem to believe that performing maintenance on "their" computer is part of their job. We also have challenges in getting a good handle on eliminating all of the nuisance popups for updates (Adobe, Java, etc.). While we are doing a better job now, it is still an issue. When it comes to software installations, we are working on a system that will provide a menu of self-service selections. This will operate with our management tool (Altiris) and push those jobs out to the requested computer(s) in short order. Licensing, management, and patching can all be managed in this way and frankly, that is a 90%+ solution right there. As has been commented, the dangers of allowing unrestricted local admin accounts are well documented, and not all of the issues are strictly security related. As only one example, something as common as Java comes with extra software selections *preselected* during installation. If users do not know what to look for and are allowed to self-install, we're going to have a lot of computers running the Ask.com toolbar in short order. At this point, we know that our support workload has largely shifted from fire-fighting to satisfying on demand software installations and normal configuration issues. The number of pending support tickets has been reduced, at least partially due to this shift in policy. We are also working through plans to further streamline the request process, which will include a self-paced education component plus assessment, ties to the property system (for verifying 'ownership') and partial automation of this process. We firmly believe we are on the right path in terms of how to most effectively deliver high quality support within a very constrained budget. Whether this holds up in the face of the cultural and political hurdles most (if not all) higher ed institutions face remains to be seen, but we are hopeful that it will. ~Jeff Jeff Durfee, CISSP Director, IT Security University of North Florida