Educause Security Discussion mailing list archives

Re: Lab Computers, Research & Administrative Rights


From: Ronald King <ronald.king () MORGAN EDU>
Date: Tue, 12 Jun 2018 08:56:54 -0400

At my previous shop, DeepFreeze was used and very effective.

At Morgan, we have two classifications of systems, academic and
administrative based on state auditor perspective. We were hit hard by the
state for allowing admin to everyone, so, we removed all admin rights
except for IT support personnel to all systems. IT support are granted
admin to administrative classified systems. Students, in general, are not
permitted admin rights, but, we do grant lab attendants and faculty
granting only to those systems classified as academic, such as lab and
research systems.

I've heard good things about makemeadmin. We plan to test it out to help
bridge the gap Faculty often encounter when working with systems we
classify as administrative.

Ron

*Ronald A. King, CISSP*
Chief Information Security Officer
Morgan State University Office: (443) 885-3372
1700 E. Cold Spring Ln. Email: ronald.king () morgan edu
Baltimore, MD 21251 URL: http://www.morgan.edu

*Growing the future ... Leading the world*
<http://www.morgan.edu/Documents/ABOUT/StrategicPlan/StrategicPlan2011-21_Final.pdf>


On Wed, Jun 6, 2018 at 11:43 AM, Dan Wasson <dan () nmc edu> wrote:

Another plug for Deep Freeze.  We have been using it for about 15 years
and have it installed on about 600 computers used primarily by students.
It is a fantastic tool that has saved countless hours of time.

Dan



*Dan Wasson*
*Director Systems & LAN Management*
*Northwestern Michigan College*
*231-995-1164*
*dwasson () nmc edu <dwasson () nmc edu>*

*Don't be a scam victim - NMC and other reputable organizations will never
use email to request that you reply with your password, social security
number or confidential personal information.*

On Wed, Jun 6, 2018 at 10:58 AM, Barton, Robert W. <bartonrt () lewisu edu>
wrote:

We...
- Segment off the machines whenever possible.
- Deep Freeze is used on the PCs.
- MakeMeAdmin (https://makemeadmin.com/
<https://urldefense.proofpoint.com/v2/url?u=https-3A__makemeadmin.com_&d=DwMFaQ&c=0CCt47_3RbNABITTvFzZbA&r=hF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs&m=MN_yqzluLpFQRqUgIv9tcw7SdfjXTgOxmUug2uMPO3s&s=VddFIfDcUvs-0mVeA0F_2WQ_cq9mMFD6OQGTEwssa1Y&e=>)
-  We have not started to use it here, but we have been talking about it in
certain circumstances, being needed.

- Any access to the 'research' machines require a special AUP be signed.
- Access to those machines is limited in AD; we've limited what machines
specific AD users can log into.

Robert W. Barton
Director of Information Security
Lewis University
One University Parkway
Romeoville, IL  60446-2200
815-836-5663

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Hahues, Sven
Sent: Wednesday, June 6, 2018 9:08 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Lab Computers, Research & Administrative Rights

Hi everyone,

I wanted to find out if some of you could share what some of the
approaches you have taken when handling shared computers, such as devices
used in labs that are hooked up to research equipment where faculty/staff
and students may need to have administrative rights.

We have been in the process of removing administrative rights, and if the
computer is loaded by central IT, students do not have administrative
rights.  We have been getting an increasing number of requests to allow for
this to happen and are hesitant to do so.

Could you guys share some of your approaches?

Thanks,

Sven

Sven Hahues
Florida Gulf Coast University
Director, ITS Helpdesk, Network Services & Security
Tel: (239) 590 1337
E-Mail: shahues () fgcu edu

This message (including any attachments) is intended only for
the use of the individual or entity to which it is addressed and
may contain information that is non-public, proprietary,
privileged, confidential, and exempt from disclosure under
applicable law or may constitute as attorney work product.
If you are not the intended recipient, you are hereby notified
that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this
communication in error, notify us immediately by telephone at
(815)-836-5950 and
(i) destroy this message if a facsimile or (ii) delete this message
immediately if this is an electronic communication.

Thank you.




Current thread: