[unisog] User rights

Kruse, Jordan jkruse at facilities.buffalo.edu
Thu Jun 29 18:02:09 GMT 2006

We have just recently removed admin rights from the majority of all our
users (Staff) workstations. As Micheal put it "the hue and cry was
deafening" but we decided that the risk outweighed the advantages. If a
user requires software to be installed, they contact the helpdesk which
will review the EULA and install the software if it meets policy. If you
are debating on removing rights, I would benchmark security incidents in
the last two years and determine if "rights" would have prevented the
incident. You should also review what kind of data is stored on your
workstations and what access level your users have to confidential
information like social security numbers. 

Since removing admin rights, we have removed almost all instances of
calls regarding your usual spyware/adware symptoms, along with all
non-work related software, and all your little freebies like Google This
and Google That, and Yahoo This and Yahoo That. If your User Policy
states that "Company" equipment is to be used for work related material,
then I would assume "rights" management would be a critical control in
supporting your User Policy.

For users that require admin rights, we have started creating Virtual
Machines that can be accessed via RDP. These stations generally have
specific software on them that requires admin rights to run and are only
used to run the application and nothing else. If a user manages to
corrupt a VM station, the image is reverted back to a weekly snapshot.
This also works great for those MS patches that might render a program

Jordan Kruse
University at Buffalo
I&TS Helpdesk & Security Coordinator

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of I Freecycle
Sent: Thursday, June 29, 2006 9:37 AM
To: unisog at lists.sans.org
Subject: [unisog] User rights


I'm wondering how others deal with allowing users rights on work

At our school, users aren't normally given Administrator or Power User
rights unless it's absolutely necessary. Occasionally we encounter
employees and students that don't understand how easily a system can be
messed up and the security issues involved nor why we feel it's
necessary to operate like this.

I would like to know what others do, and what policies they have in
place to address these issues.

unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list