Re: [External] [SECURITY] Local Admin Access

[John Ramsey <000001cd0b5a1098-dmarc-request () LISTSERV EDUCAUSE EDU>]

We are similar but with a couple variations and technical controls added.


  *   Use LAPS to replace all built in admin accounts.
  *   Implemented Least Privilege and removed all local admin accounts.  For those with approved business needs (and 
that is only our Infrastructure and Cybersecurity teams), we create a second "a"/admin account.
  *   Through Azure, we enforce an MFA conditional access policy that requires MFA for all admin accounts EVERY time 
they are used.
  *   Turned on another conditional access policy for "risky sign ins" where an admin account is denied access if the 
risk is Medium or High.
  *   We implemented MS Credential Guard to minimize credential loss on endpoints.
  *   We enforce a GPO to wipe out any local admin accounts that might have been added via unauthorized mechanisms or 
permissions.
  *   Not implemented but about to be:  we have a Rules of Behavior attestation that we're having admins sign on what 
they can/can't do.  We already have one in place for users and for remote work.  This new one will be for admins.

John

John Ramsey, Chief Information Security Officer
National Student Clearinghouse
Certified: CISSP, CISM, PMP, CSSLP, CRISC, CGEIT
2300 Dulles Station Blvd., Suite 220
Herndon, VA 20171
703.742.4428 | studentclearinghouse.org<http://www.studentclearinghouse.org>
LinkedIn<https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fnational-student-clearinghouse&data=02%7C01%7Cdugan%40studentclearinghouse.org%7Cc37208aebac64fd76e8508d84f636448%7C8cc02fea054043a688b6069d3eac0119%7C0%7C0%7C637346635590166954&sdata=MdT45I1n7Hwbp8Zlkxlm0wEd0LdLnq5Cpr91ybCEjHw%3D&reserved=0>
 | 
Twitter<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fnsclearinghouse&data=02%7C01%7Cdugan%40studentclearinghouse.org%7Cc37208aebac64fd76e8508d84f636448%7C8cc02fea054043a688b6069d3eac0119%7C0%7C0%7C637346635590171933&sdata=idMHM8D4VdMRpIa2H1YUTmwMgC4ZU0L2jqL3VjVNs4s%3D&reserved=0>
 | 
Facebook<https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2FNSClearinghouse&data=02%7C01%7Cdugan%40studentclearinghouse.org%7Cc37208aebac64fd76e8508d84f636448%7C8cc02fea054043a688b6069d3eac0119%7C0%7C0%7C637346635590176915&sdata=ILW%2BPdv1fgHooOkbQlkP9ei%2BJOsk7YlCMzYNU572flU%3D&reserved=0>
 | Blog<https://www.studentclearinghouse.org/nscblog/> | Instagram<https://www.instagram.com/NSClearinghouse/>

Serving Education Since 1993

This message is proprietary to the National Student Clearinghouse, is intended only for the addressee and may contain 
confidential or privileged information. If you receive this message in error, please contact the sender and delete all 
copies.

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Kevin Ledbetter
Sent: Wednesday, April 7, 2021 2:29 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] [External] [SECURITY] Local Admin Access


EXTERNAL MESSAGE
The method Chris Gregg explained, is exactly how we do things.

Kevin

On Wed, Apr 7, 2021 at 1:24 PM Gregg, Christopher S. <csgregg () stthomas edu<mailto:csgregg () stthomas edu>> wrote:
We default to not providing admin access.  Where possible we use LAPS for short, one off needs.  If a user makes a 
business case for long term admin access, we grant the access through a second account so the user is not logged in 
with an account with admin privileges while doing routine work.

Thanks,

Chris


Chris Gregg
Associate Vice President of Information Security & Risk Management, CISO
Innovation & Technology Services (ITS)
csgregg () stthomas edu<mailto:csgregg () stthomas edu>
p 1 (651) 962-6265
University of St. Thomas | 
stthomas.edu<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.stthomas.edu%2F&data=04%7C01%7Cjramsey%40STUDENTCLEARINGHOUSE.ORG%7C1c62ed07509143f655a408d8f9f31427%7C8cc02fea054043a688b6069d3eac0119%7C0%7C1%7C637534169712055272%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4384uH1uRf%2Fhk8xQFSJq4B0SaD3RHuN1QJI3TIluhuE%3D&reserved=0>





From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Emilie Kunze
Sent: Wednesday, April 7, 2021 12:08 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [External] [SECURITY] Local Admin Access

We are curious how other institutions handle local admin access for faculty/staff?

Thank you,
Emilie


[https://lh5.googleusercontent.com/8TGVFPsiEyy3_TXFjMAe-lCBkyXwyGevnGxIvGdvcCw3hjOZXmPHYbmZT0pi_gZG5RkwAY-Hr0A_XFdoepzZEFuNDmYnRMqD-9ud3Hyk-fMTIXJpmQ2qt5M1SGUDHcrQ6M_D9CrN]<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Faustincc.edu%2F&data=04%7C01%7Cjramsey%40STUDENTCLEARINGHOUSE.ORG%7C1c62ed07509143f655a408d8f9f31427%7C8cc02fea054043a688b6069d3eac0119%7C0%7C1%7C637534169712055272%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=hKW2R707vqP%2F9jOxsSTEke3%2Bdt13Qs9o3c0tPjq0s2g%3D&reserved=0>

Emilie Kunze

IT Security Analyst Sr.

Acting Information Security Officer

Office of Information Technology

ekunze () austincc edu<mailto:ekunze () austincc edu>  | o 512-223-1157

ACC Information 
Security<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fit.austincc.edu%2Fdepartments%2Finformation-security%2F&data=04%7C01%7Cjramsey%40STUDENTCLEARINGHOUSE.ORG%7C1c62ed07509143f655a408d8f9f31427%7C8cc02fea054043a688b6069d3eac0119%7C0%7C1%7C637534169712065229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=eLul9XbN1jvSPynhdxoTh2ALai%2FlL6rHM5T6%2FaKhYZw%3D&reserved=0>

      
[https://lh3.googleusercontent.com/3i9G30Fg3ZAiC3mZdiMpvQRradC3TjjCk-pdmKCGV_fzPcMSzNSQE7rf9y9DqgXUxJxxl35vf4rLx4n1kM_DpBsJJjbxv9EcmSmUwSHZdlZxsP2Dc_UngTyQv3pHCl6VhsG5Lfio]
 
<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Faccinfosec%2F&data=04%7C01%7Cjramsey%40STUDENTCLEARINGHOUSE.ORG%7C1c62ed07509143f655a408d8f9f31427%7C8cc02fea054043a688b6069d3eac0119%7C0%7C1%7C637534169712065229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=GVVV65VLzki6cXd9QaBjJK7Bv07wx7SbPH59XHofjws%3D&reserved=0>
     
[https://lh5.googleusercontent.com/-i9vIi5rgXE71dcrX6-3bGqGXXd0B3y8YE4Q25USF9da5jZ2Slz-TeACb7E26aea5om8HOq35WMxxecKyIBRBaAEAipDnYr8hice3MMzGl1G-l7r9tpbmZ8S_SCmCRsTJ8yWtK3l]
 
<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FACCInfoSec&data=04%7C01%7Cjramsey%40STUDENTCLEARINGHOUSE.ORG%7C1c62ed07509143f655a408d8f9f31427%7C8cc02fea054043a688b6069d3eac0119%7C0%7C1%7C637534169712075184%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=I4sUpb%2B0C8GT4%2BljuFOit19b12o2Qrk6uWZwoLsoI%2F4%3D&reserved=0>


                                                  CONFIDENTIAL NOTICE
This communication, including any attachments, may contain confidential information and is intended only for the 
individual or entity to which it is addressed. Any review, dissemination, or copying of this communication by anyone 
other than the intended recipient is strictly prohibited. If you are not the intended recipient, please contact the 
sender by reply e-mail, delete and destroy all copies of the original message.


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cjramsey%40STUDENTCLEARINGHOUSE.ORG%7C1c62ed07509143f655a408d8f9f31427%7C8cc02fea054043a688b6069d3eac0119%7C0%7C1%7C637534169712075184%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=XNiXjbdpkmIr1u7klU9i%2FzIFrN1%2Bf9U2RBIrALpy0OQ%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cjramsey%40STUDENTCLEARINGHOUSE.ORG%7C1c62ed07509143f655a408d8f9f31427%7C8cc02fea054043a688b6069d3eac0119%7C0%7C1%7C637534169712085140%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=26jjZOaGZzwLEIeNnXvBs59lK2vRNfPAmuqjs4lsDII%3D&reserved=0>


--
Kevin Ledbetter
Systems Security Administrator
Office of Information Technology
[https://www.valpo.edu/brand/files/2014/05/Signature_Horiz_Full_web.png]
1700 Chapel Drive
Valparaiso, IN 46383
219.464.6191
Staff Employee Advocacy Council
Kevin.Ledbetter () valpo edu<mailto:Kevin.Ledbetter () valpo edu>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cjramsey%40STUDENTCLEARINGHOUSE.ORG%7C1c62ed07509143f655a408d8f9f31427%7C8cc02fea054043a688b6069d3eac0119%7C0%7C1%7C637534169712085140%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=26jjZOaGZzwLEIeNnXvBs59lK2vRNfPAmuqjs4lsDII%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community