Re: [External] [SECURITY] Local Admin Access

[Rich Graves <rcgraves () GMAIL COM>]

I think I’ve seen this same admin password

     discussion before. It’s like déjà vu all over again. Yeah, under no circumstances should there be any sort of 
global shared admin password on end user workstations, especially not one with remote login rights. 10 or so years ago, 
I struck the balance of letting people have a secondary local (not domain) no-remote-login-allowed, 
no-outbound-network-access password for admin elevation, which we recommended reusing as a pre-boot bitlocker pin, so 
they only need to remember two. Threat modeling at the time said this was ok. Now, with hardware and user expectations 
arguing against pre-boot pins and this xkcd cartoon https://xkcd.com/1200/ I am actually more OK with letting users 
have admin rights. Provided, and this is very important, that you have some sort of auditing of especially software 
installation and execution. This could be as simple as native publish/subscribe AppLocker allow/deny and/or process 
accounting events, which we started feeding into our SIEM like 10 years ago or whatever. If you have the budget and the 
threat level, a “real” EDR is cool. Just make sure that you audit the audit system, because EDR can be used to run 
arbitrary code! A very solid application distribution system and application streaming and so on may obviate the need 
for admin rights, but dream on.

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community