[unisog] Defending Administrative Rights policy

Paul FM paulfm at me.umn.edu
Fri Oct 5 18:02:29 GMT 2007

One side note.  If your users need admin rights to format a floppy disk, then 
there is something wrong with the configuration of the machine (there is a 
security policy which allows interactive users to format removable disks).

On our side (this is only one department), we have over 60 applications (some 
with multiple versions - for example Proe [3 versions], Ansys[3 versions], 
Moldflow [3 versions]) which are useable on pretty much every one of our 
Windows Machines.  We absolutely don't allow admin access to any desktop 
machines with multiple users (and those one user laptops we allow admin 
access, are NOT on the domain - I get an e-mail every time any administrator 
logs on to any managed machine).   We do allow people to run their own 
machines (of course they become responsible for it and have to adhere to the 
overall University policies about connecting machines to the network).
We also basically firewall (within reason) our entire network against the 
rest of the University and the Internet (really cuts down on problems - P-P, 
external break-ins, etc).

Of course - if you are really serious about these sorts of policies - you 
should enforce them on your home machine as well (I run my personal home 
machine following the same policies I use at work - incuding an external 
firewall to the internet).  It will make you understand how those policies 
affect a regular user and help you understand when exceptions are needed (and 
when they really aren't).

Mike Honeycutt wrote:
> This is a classic pros and cons list
> in my mind.
> IT works for the university and needs
> to help determine the needs on each campus.
> This is tricky since faculty and staff
> are hired to do a job and IT doesn't want
> to appear to be an obstruction in the mission
> of the university.
> We all have IT horror stories to justify
> locking down machines, but I can't imagine telling 
> a Computer Science or Engineering department 
> (or Provost, President, etc.) what would and
> wouldn't be on the department's PCs.
> I don't think there is a one-size-fits-all-campuses
> solution but it is fascinating to hear how
> schools are approaching this issue.
> Mike Honeycutt
> UNC Asheville
> ===============================
> -----Original Message-----
> From: unisog-bounces at lists.dshield.org [mailto:unisog-bounces at lists.dshield.org] On Behalf Of Martin Sapsed
> Sent: Thursday, October 04, 2007 11:37 AM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] Defending Administrative Rights policy
> Davis,William wrote:
>> I am defending our security policy that limits Administrative Rights 
>> to IT staff only and am looking for statistics and comments from other peer universities on this policy.
>> If anyone would be willing to share any information with me I would be very grateful.
>> I am most interested in knowing:
>> 1. Do you permit or deny Administrative Rights to general faculty/staff?
>> 2. What constitutes and exception to this policy?
>> 3. What infections/incidents, or lack thereof, have you experienced?
>> 4. If a security incident occurred, what was the cost as a result?
>> 5. If you permit Admin Rights, what additional security measures did you put in place or depend on?
>> 6. What strategies do you use to enforce a "deny admin rights" policy for higher level administrative positions?
> I'm intrigued by this discussion because it's something I'm under a lot of pressure about. A large number of people here *need*
> admin rights so that they can
> a) format floppy disks (I kid you not!)
> b) install printer drivers for the random cheap printer they've just bought
> c) install random bits of software
> We also have laptop users who *need* admin rights so they can do any of the above when on the road.
> I'm curious as to how the sites which don't give out admin rights at all deal with these issues? Are your admins running around
> installing printer drivers etc? Are you making work for yourselves??
> Regards,
> Martin

The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm

More information about the unisog mailing list