[unisog] Defending Administrative Rights policy

Mike Honeycutt honeycutt at unca.edu
Thu Oct 4 20:06:04 GMT 2007


This is a classic pros and cons list
in my mind.

IT works for the university and needs
to help determine the needs on each campus.
This is tricky since faculty and staff
are hired to do a job and IT doesn't want
to appear to be an obstruction in the mission
of the university.

We all have IT horror stories to justify
locking down machines, but I can't imagine telling 
a Computer Science or Engineering department 
(or Provost, President, etc.) what would and
wouldn't be on the department's PCs.

I don't think there is a one-size-fits-all-campuses
solution but it is fascinating to hear how
schools are approaching this issue.

Mike Honeycutt
UNC Asheville

===============================
 
-----Original Message-----
From: unisog-bounces at lists.dshield.org [mailto:unisog-bounces at lists.dshield.org] On Behalf Of Martin Sapsed
Sent: Thursday, October 04, 2007 11:37 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Defending Administrative Rights policy

Davis,William wrote:
> I am defending our security policy that limits Administrative Rights 
> to IT staff only and am looking for statistics and comments from other peer universities on this policy.
> 
> If anyone would be willing to share any information with me I would be very grateful.
> 
> I am most interested in knowing:
> 1. Do you permit or deny Administrative Rights to general faculty/staff?
> 2. What constitutes and exception to this policy?
> 3. What infections/incidents, or lack thereof, have you experienced?
> 4. If a security incident occurred, what was the cost as a result?
> 5. If you permit Admin Rights, what additional security measures did you put in place or depend on?
> 6. What strategies do you use to enforce a "deny admin rights" policy for higher level administrative positions?

I'm intrigued by this discussion because it's something I'm under a lot of pressure about. A large number of people here *need*
admin rights so that they can

a) format floppy disks (I kid you not!)
b) install printer drivers for the random cheap printer they've just bought
c) install random bits of software

We also have laptop users who *need* admin rights so they can do any of the above when on the road.

I'm curious as to how the sites which don't give out admin rights at all deal with these issues? Are your admins running around
installing printer drivers etc? Are you making work for yourselves??

Regards,

Martin

-- 
Martin Sapsed				
Microcomputer Support Manager
IT Services                          "Who do you say that I am?"
Bangor University                          Jesus of Nazareth

--
Gall y neges e-bost hon, ac unrhyw atodiadau a anfonwyd gyda hi, gynnwys deunydd cyfrinachol ac wedi eu bwriadu i'w defnyddio'n unig
gan y sawl y cawsant eu cyfeirio ato (atynt). Os ydych wedi derbyn y neges e-bost hon trwy gamgymeriad, rhowch wybod i'r anfonwr ar
unwaith a dilëwch y neges. Os na fwriadwyd anfon y neges atoch chi, rhaid i chi beidio â defnyddio, cadw neu ddatgelu unrhyw
wybodaeth a gynhwysir ynddi. Mae unrhyw farn neu safbwynt yn eiddo i'r sawl a'i hanfonodd yn unig  ac nid yw o anghenraid yn
cynrychioli barn Prifysgol Bangor. Nid yw Prifysgol Bangor yn gwarantu bod y neges e-bost hon neu unrhyw atodiadau yn rhydd rhag
firysau neu 100% yn ddiogel. Oni bai fod hyn wedi ei ddatgan yn uniongyrchol yn nhestun yr e-bost, nid bwriad y neges e-bost hon yw
ffurfio contract rhwymol - mae rhestr o lofnodwyr awdurdodedig ar gael o Swyddfa Cyllid Prifysgol Bangor.  www.bangor.ac.uk

This email and any attachments may contain confidential material and is solely for the use of the intended recipient(s).  If you
have received this email in error, please notify the sender immediately and delete this email.  If you are not the intended
recipient(s), you must not use, retain or disclose any information contained in this email.  Any views or opinions are solely those
of the sender and do not necessarily represent those of the Bangor University.
Bangor University does not guarantee that this email or any attachments are free from viruses or 100% secure.  Unless expressly
stated in the body of the text of the email, this email is not intended to form a binding contract - a list of authorised
signatories is available from the Bangor University Finance Office.  www.bangor.ac.uk

_______________________________________________
unisog mailing list
unisog at lists.dshield.org
https://lists.sans.org/mailman/listinfo/unisog




More information about the unisog mailing list