Educause Security Discussion
mailing list archives
Re: Non-administrator advantages / disadvantages
From: Chuck Braden <j-braden () TAMU EDU>
Date: Sat, 1 Dec 2012 16:32:53 +0000
Chuck Braden <j-braden () tamu edu> wrote:
I see both sides of this issue. However, i am not sure what poses the bigger risk.
In this age, users ( especially higher ed users that should be able to understand the 'EDUCATION' part) can't just be
passive participants -they have to have some basic awareness of how to maintain the tools they need to perform their
job just like anyone else. Organizations should have a continual training program in place that raises awareness about
the most basic resposibilities that accompany use. That being good email/password practices, routine software updates,
installation of properly licensed software that is necessary to perform a business function, and holding these
individuals accountable when they it get it wrong.
Do all faculty/staff need admin access? No probably not. Some might require it due to the accessability/availability of
support staff, while other institutions might be able to rely on wsus and group-policies, which should reset any
changes in local policies that potentially were altered by the local admin account anyway.
Most malware can still infect limited accounts now. Yes, the impact is less and cleanup is usually less involved. But
not providing admin is no longer the benefit it used to.
I see some value in not having a user logged in as admin at all times, which also aligns with least privilege
guidelines. However, i recognize the issue with having a limited account for general access and an admin account for
software updates ( and the less than ideal unique password selection that could be a side effect).
As for myself, my general limited id is the only one that is defined in active directory so i can't effectively
accomplish my job ( no drive maping to server storage), when logged in as admin. While i acknowledge that has some
drawbacks with the managment of the password expiration of the local account from active directory, as the group policy
is setting the global password expiration and complexity/length for all accounts on the workstation, the admin account
is not likely to be ignored.
And as i understand it, there now are tools to manage passwords on local workstation accouts now, but i dont have any
personal experience with them.
For my needs/use, i believe my implementation provides the benefits of both environments. But, ymmv.
Geoffrey Steven Nathan <geoffnathan () WAYNE EDU> wrote:
Re: Non-administrator advantages / disadvantages Steven Alexander (Nov 27)
Re: Non-administrator advantages / disadvantages Geoffrey Steven Nathan (Dec 01)
Re: Non-administrator advantages / disadvantages Chuck Braden (Dec 01)
Re: Non-administrator advantages / disadvantages Harry Hoffman (Dec 01)
Re: Non-administrator advantages / disadvantages Eric Lukens (Dec 03)
- Re: Non-administrator advantages / disadvantages, (continued)