Library IT News

Entering content area for Library IT News

blog posts

  • Practicing Best Practices

    For the past week and counting, I've been using a best practice for IT security and administration: not being an administrator. It's never been a secret that I oppose making individuals administrators at their request. It makes things much more involved to troubleshoot and usually just leads to more complicated work in resolving the problem. Admin rights can also make a malware infection so much worse since the entire computer can get infected instead of just the responsible person's profile. Given the state laws that require even free software to have campus approval, individuals do not have the knowledge available to know whether they can install a particular software title. In most cases, that removes what Admin rights are requested for.

    A week without admin rights. How can I remove those privileges as system administration duties are my chief responsibilities? I removed my primary NetID from our admin Security groups and created a replacement AD user that has admin rights. I login all the time with my usual NetID unless I am specifically doing something admin related and then log off when it's completed. I can also use the RunAs trick to do admin tasks without having to log off of my normal NetID. This is a great education experience in learning context and has had minimal slow-down on my workflow thanks to a few scripts I've made to launch the tools I need as the admin account (after authentication).

    While this switch isn't perfect because many of our other tools are tied to my NetID like Active Directory, Group Policy, OTRS, and other web tools, the primary concern of being infected is prevented by giving up my admin rights. There hasn't been anything I need to do that I couldn't do without switching to the Administrator context. The extra pause gives time for reflection on whether something really needs to be installed, working much like Vista and Windows 7's UAC.

    I would put forth the idea that nobody's NetID should ever be given admin rights to their machine upon request. Instead, an admin account can be created that they don't log into all the time but instead use RunAs when necessary, if admin rights are to be doled out in the first place. If I can go without admin rights and complete all of my responsibilities then few others should need to be admins all the time, in my opinion.

additional blog information