Educause Security Discussion
mailing list archives
Re: Non-administrator advantages / disadvantages
From: "Shalla, Kevin" <kshalla () UIC EDU>
Date: Fri, 30 Nov 2012 21:48:38 +0000
A few have admin rights now, and there's a stampede by others to also get it, so we're considering granting it to many
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Steven
Sent: Tuesday, November 27, 2012 3:00 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Non-administrator advantages / disadvantages
Most users don't require anything above basic user privilege to do their jobs. If you give them administrator rights,
you are giving up control of their machines. The users can install any software, bypass group policy and possibly gain
domain admin rights (if a domain admin logs in to their machine). They will also be much more vulnerable to malware.
Most malware requires administrator privilege for full functionality because admin rights are needed to install device
drivers, put a network card into promiscuous mode or install a new service.
Prohibited software can span a pretty wide range: games, P2P software, unlicensed/pirated software, personally owned
software. You need to worry about performance/compatibility problems, security issues, copyright.
What's the context behind your question? Do your users have admin rights now? Are you considering granting or taking
away admin rights for everyone or just some users?
Steven Alexander Jr.
Online Education Systems Manager
3600 M Street
Merced, CA 95348-2898
alexander.s () mccd edu<mailto:alexander.s () mccd edu>
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shalla,
Sent: Tuesday, November 27, 2012 12:24 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Non-administrator advantages / disadvantages
I'm trying to highlight the advantages and disadvantages of prohibiting administrator access for users of Windows
computers. Can you provide feedback on what I have below? By the way, what's an example of software that is generally
prohibited? Is BitTorrent an example? Is it common?
Most malware stays on one user profile, so other users on same machine are unaffected. Deleting the profile can remove
the malware. Prohibited (by policy) software doesn't get installed. Combinations of software known to be problematic
are not installed (like multiple active versions of antivirus).
User cannot install or update some software immediately - have to wait for desktop support.