[unisog] Defending Administrative Rights policy

Davis,William William.S.Davis at ColoState.EDU
Thu Oct 25 15:04:33 GMT 2007

The following is a summary of the Administrative Rights Survey that I posted a couple weeks ago.  Thanks to all who responded!  I have tried to condense the various comments into a semblance of categories.  If you have specific questions, please feel free to contact me via my email address listed at the bottom.

Administrative Rights Survey Results:

36 North American Universities/Colleges

General Policy on granting local administrator privileges
24 Default Deny
12 Default Permit

If policy is to deny admin privileges, are exceptions allowed?
17 Yes
5 No
2 N/A

What constitutes an exception?
12 Business need
 3 Not connected to staff Windows Domain or staff network
 2 Self managed or requested by user

What constitutes "Business Need"?
Laptops used in mobile environment
Specialized software requiring admin rights to run
Software requiring frequent updates that is not managed centrally
Anyone making a request

If policy is to permit admin privileges, are exceptions made to remove rights?
6 Yes
0 No
6 N/A

What circumstances result in loss of privileges?
Abuse/repeated infections
Sensitive data
New employees/student employees
No business need
Multi-user systems

Significant Infection (15 respondents):
4 with 0 infections - default policy deny local admin rights no exceptions
2 with 0 infections - denied local admin rights only on staff networks

5 with 0 infections - exceptions allowed for business need
2 with 2 or more infections - exceptions allowed for business need

1 with 2 or more infections -default policy permits local admin rights
1 with 10 or more infections - default policy permits local admin rights

General Comments supporting Policy of Deny:
Attacks are more sophisticated and have changed from vandal to thief
Significant Infection allowed change to "Deny" policy
Education is especially effective after a compromise
Required less support time/Reduced load on Help Desk
IT staff or users with exceptions must have 2 accounts
  both admin and non-admin, used appropriately.
Issue was really customer service, granted exception only if all other
  options exhausted
Require approval signature for exceptions
Require signed user agreement for exceptions
Require user education for exceptions
Must submit needs analysis for non-standard software requiring exception
Exceptions permitted only on non-staff networks

General Comments supporting Policy of Permit:
Policy easier to administer, remove if abuse detected
Only for single user computers
Must have patches, anti-virus/anti-spyware
Must balance risk versus user need
User perception of need made deny policy difficult

William S. Davis
Network Security Administrator
SANS security certifications:  GSEC,GCIH,GCFW,GCIA
Housing Technology Services
Colorado State University
William.S.Davis at colostate.edu

More information about the unisog mailing list