Administrator access on work machines have been a concern in my department.
Besides the onslaught of operating system, software, printing problems, and
security concerns that arrive due to giving everyone administrator access,
there is also licensing concerns.
Most of the computers and laptops are department owned we would like to have
all of the software properly licensed. It is impossible to track software
licenses when users are able to add software at any time.
Because of changing IT logistics due to the recent surge in mobile laptops
we have developed a paper copy of an Administrator Rights Agreement form for
those who need these account rights. We also have an Acceptable Use of
Computer and Campus Network form. Beside their main user account that is
set up on the laptops, I create a second administrator account on the
laptops for them to be able to use this only when they need to make changes
on the road.
Timothy Woods
Information Technology Professional
Michigan State University
School of Social Work and Department of Anthropology
254 Baker Hall, East Lansing, MI 48824
517-432-2195
[log in to unmask]
-----Original Message-----
From: MSU Network Administrators Group [mailto:[log in to unmask]] On
Behalf Of Richard Wiggins
Sent: Monday, November 19, 2007 3:00 PM
To: [log in to unmask]
Subject: [MSUNAG] How do you manage Administrator access for your users?
I'm curious how folks manage access to Administrator accounts. One piece of
advice is to create a general user account and use it at all times except
when you need to install a program or make another system change. That way
it's harder for spyware or other malware to break in.
My question is whether those of you who manage fleets of machines give your
end users access to the Administrator account, even if you encourage users
to follow the above advice.
You may have noticed that ACNS will be updating the SSL VPN to support Mac's
new Leopard operating system. Whenever the SSL VPN is updated, users need
to upgrade the Java client installed on their computers, and this requires
admin access. (See http://servicestatus.msu.edu/status_detail.php?id=1995)
Obviously you'd want to avoid the scenario where your user is on the road
and needs to update the client but they don't have Administrator access.
There are other examples. Once I was using a loaner laptop and could not
connect to a Wi-Fi network on the road because it was not an encrypted
network, and Windows demands Administrator access to connect anyhow.
During last Friday's wireless test folks needed to be sure they had a Java
VM installed, and to install a speed test applet.
Or maybe you need to upgrade software for some reason while on the road.
OK, enough examples -- I look forward to hearing how you handle this.
/rich
|