[unisog] Defending Administrative Rights policy

Stephen John Smoogen smooge at unm.edu
Thu Oct 4 16:23:29 GMT 2007

Martin Sapsed wrote:
> Davis,William wrote:
>> I am defending our security policy that limits Administrative Rights to IT staff only and am looking for statistics and comments from other peer
>> universities on this policy.
>> If anyone would be willing to share any information with me I would be very grateful.
>> I am most interested in knowing:
>> 1. Do you permit or deny Administrative Rights to general faculty/staff?
>> 2. What constitutes and exception to this policy?
>> 3. What infections/incidents, or lack thereof, have you experienced?
>> 4. If a security incident occurred, what was the cost as a result?
>> 5. If you permit Admin Rights, what additional security measures did you put in place or depend on?
>> 6. What strategies do you use to enforce a "deny admin rights" policy for higher level administrative positions?
> I'm intrigued by this discussion because it's something I'm under a lot
> of pressure about. A large number of people here *need* admin rights so
> that they can
> a) format floppy disks (I kid you not!)
> b) install printer drivers for the random cheap printer they've just bought
> c) install random bits of software

This is a general line that I have heard from lots and lots of
workplaces. It was the most common excuse at Los Alamos that I heard
:).. and while universities aren't dealing with the same security risks,
finding out that 10,000 students and alumni social security numbers just
left and are on piratE-Bay can be caused by the same rules.

How I saw this solved at other Labs was:

1) No regular account had admin rights.
2) Admin right accounts were created in the central AD with locked down
policies. They were charged to the departments by level of access given
out. You want to have complete control, you pay the big bucks. You want
to just format floppy disks.. you pay less. However, it was cheaper in
the end to just buy a bunch of 486 boxes and put them in areas where any
person could go up.. stick a disk in its drive, press enter, and voila a
wiped and formatted floppy disk.
3) Printers were bought by the IT group and installed properly. Printers
bought by a department would have to be installed by IT but had a
regular priority versus printers bought by IT were discounted and had a
higher ticket queue.
4) People who needed to install random pieces of software went to
regular security awareness training, and had a non-regular account. This
account was audited and might be locked out after being 'active' for
some large amount of time (eg if you only log in as rootsmooge versus
5) Groups that needed more control over their stuff were segmented and
firewalled off from other networks (admin, finanace, hr) etc. they would
then have to access any data via proxies.
6) Laptop users aka road warriors had to have 2 factor authentication
via USB etc and they needed it to access their admin accounts. They
would need to periodically bring in their systems for a check to make
sure they were up-2-date on being infection free.

All this took a long time to implement and pretty much always happened
after yet another news story at LANL. [A common slide in many security
presentations is "Don't Be LANL".] My guess is that in many universities
a similar setup may come up over time... it will probably be after a
large lawsuit or some bad press story gets their funding backers asking
why they should continue funding the school if all their 'investment' is
going to be lost to some crackers.

> We also have laptop users who *need* admin rights so they can do any of
> the above when on the road.
> I'm curious as to how the sites which don't give out admin rights at all
> deal with these issues? Are your admins running around installing
> printer drivers etc? Are you making work for yourselves??
> Regards,
> Martin

Stephen Smoogen -- ITS/Linux Administrator
  MSC02 1520 1 University of New Mexico Albuquerque, NM  87131-0001
  Phone: (505) 277-8129  Email: smooge at unm.edu
 How far that little candle throws his beams! So shines a good deed
 in a naughty world. = Shakespeare. "The Merchant of Venice"

More information about the unisog mailing list