Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Non-administrator advantages / disadvantages
From: Chuck Braden <j-braden () TAMU EDU>
Date: Sat, 1 Dec 2012 16:32:53 +0000

Chuck Braden <j-braden () tamu edu> wrote:
I see both sides of this issue. However, i am not sure what poses the bigger risk.
In this age, users ( especially higher ed users that should be able to understand the 'EDUCATION' part) can't just be 
passive participants -they have to have some basic awareness of how to maintain the tools they need to perform their 
job just like anyone else. Organizations should have a continual training program in place that raises awareness about 
the most basic resposibilities that accompany use. That being good email/password practices, routine software updates, 
installation of properly licensed software that is necessary to perform a business function, and holding these 
individuals accountable when they it get it wrong.

Do all faculty/staff need admin access? No probably not. Some might require it due to the accessability/availability of 
support staff, while other institutions might be able to rely on wsus and group-policies, which should reset any 
changes in local policies that potentially were altered by the local admin account anyway.

Most malware can still infect limited accounts now. Yes, the impact is less and cleanup is usually less involved. But 
not providing admin is no longer the benefit it used to.

I see some value in not having a user logged in as admin at all times, which also aligns with least privilege 
guidelines. However, i recognize the issue with having a limited account for general access and an admin account for 
software updates ( and the less than ideal unique password selection that could be a side effect).

 As for myself, my general limited id is the only one that is defined in active directory so i can't effectively 
accomplish my job ( no drive maping to server storage), when logged in as admin. While i acknowledge that has some 
drawbacks with the managment of the password expiration of the local account from active directory, as the group policy 
is setting the global password expiration and complexity/length for all accounts on the workstation, the admin account 
is not likely to be ignored.

And as i understand it, there now are tools to manage passwords on local workstation accouts now, but i dont have any 
personal experience with them.

For my needs/use, i believe my implementation provides the benefits of both environments. But, ymmv.

Geoffrey Steven Nathan <geoffnathan () WAYNE EDU> wrote:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]