Local admin rights on TELA laptops

[Alan at Wadestown School]

Q1. What's the consensus on this? Do teachers have local admin rights on their teacher laptop at your school?

Q2. What are the risks of this (in your understanding)? Obviously this will increase the risk that malware can mess up that particular laptop but are there wider risks than that, for example for the servers?

Thanks

-----------------

My answers:

A1. At my school they do have admin rights for reasons of convenience but the BoT are questioning this.

A2. The malware can operate from the laptop in an unrestricted manner and attempt to attack other parts of the network from there. Servers might be at risk due to privilege escalation bugs. Shared folders accessible to the teacher are at risk. Is it worse that that?

[Blake Richardson]

We are not a TELA school (Private) but for our staff they have two accounts, their normal everyday account which is a standard account and an admin account if they need to install software or updates. The choice is always a double edge sword i.e. security over ease of use.

We are a Mac school therefore are less susceptable to viruses and spyware, which is why we allow it, if we were a PC school I would probably say no.

[Craig Knights]

We are a TELA school, using Macbooks, the staff do have local admin.  They did have local admin back in our PC days (2003-2012), but I'm not sure if I would do it now.

I'm interested to see other's responses as it's something I've thought about many times over the years..

Craig

On Wed, Jul 27, 2016 at 8:29 AM, Blake Richardson <bla...@stmargarets.school.nz> wrote:

We are not a TELA school (Private) but for our staff they have two accounts, their normal everyday account which is a standard account and an admin account if they need to install software or updates. The choice is always a double edge sword i.e. security over ease of use.

We are a Mac school therefore are less susceptable to viruses and spyware, which is why we allow it, if we were a PC school I would probably say no.

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Nick Steenson]

I'm in the same boat, TELA School, staff mostly have local admin rights, as it would probably double my workload if I had to install individual applications for individual teachers manually.

I'm also interested in changing this, ideally I'd be able to grant temporary installation rights, or have an "installation request" sent to my inbox for approval (or perhaps a few IT savvy people to avoid dependency on one IT tech)

Haven't researched anything yet.

Nick

[Alistair Baird]

Allowing them local admin rights on the laptop (to install software, printers etc) is not allowing them admin rights on the network. In the case of malicious code, if it gets access to the local machine, then it could use that machine's trusted relationship to cause havoc on the servers, but then code that does that is probably sophisticated enough to just use a normal account to gain access to the local system account and go further from there.

It depends on how much you want to have to support your users (in having to install stuff). Having a good antivirus software is a must. Education the best defense (read all the boxes and uncheck all the tool bars etc that often come with free software), perhaps even regular software audits (automated) to check there is nothing suspect.

Malware can come from USB devices - I remember a few years back where a virus was spreading via the school's digital cameras, so once a machine was cleaned up, they kept getting infected until they realised the virus was using the removable drive of the USB camera connections to spread.

On 27 July 2016 at 08:29, Blake Richardson <bla...@stmargarets.school.nz> wrote:

We are not a TELA school (Private) but for our staff they have two accounts, their normal everyday account which is a standard account and an admin account if they need to install software or updates. The choice is always a double edge sword i.e. security over ease of use.

We are a Mac school therefore are less susceptable to viruses and spyware, which is why we allow it, if we were a PC school I would probably say no.

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Alistair Baird

IT Manager

St Peters College 

p 06 354 4198

m 021 990 259

e bai...@stpeterspn.school.nz

[Nick Steenson]

Even better if it kept a "white-list" of applications able to be installed without admin access...

Nick

[Matthew Strickland]

My users have local admin access on their PC. For ransomware (like cryptolocker) and newer malware/nagware they are engineered to not need administrator rights, as in they run as the standard logged in user, so this makes no difference.

Firewall and other settings can be locked our or managed externally (like using symantec)

However there is a policy setting I change, so the UAC prompts for password instead of just Yes/No. Then you can warn/advise staff that if you are asked for you password for something, think about why or what is asking for elevated permission. Most people with yes/no just click yes without thinking.

Monitoring endpoint protection software state, firewall etc is scrutinised more on users with local admin access.

Matt

[Alan at Wadestown School]

Hi Matthew, that's a really good idea. That sounds like how it works on a mac. What's the relevant group policy setting? Thanks

[Matthew Strickland]

Sure check:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Assuming your users are admins: User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

Change to: Prompt for credentials on the secure desktop.

Or google UAC prompt credentials for registry methods to do the same thing :)

Matt

[Matthew Strickland]

Just as a followup one disadvantage is that if you allow biometrics for logon, this also allows it for elevated privileges so users can swipe their finger instead of typing in a password.

I don't think there is a definition between logging on and elevated permissions after logon unfortunately. Only a few of us use biometrics.

Matt

[J B]

No local admin rights here but secondary local admin accounts are granted to team leaders so that if the staff member needs to install stuff they go to a lead teacher.  Tela laptops on the domain. Just adding that level of justification to an install stops abuse and not running as admin prevents all sorts of agony.

 

Having no local admin means that a lot of stuff does not end up getting through to the system itself and just breaks the profile.  Sure some stuff gets through but it helps.

 

Sent from my Windows 10 phone

--

[Alan at Wadestown School]

> No local admin rights here

What say a teacher wants to install their home printer on their TELA laptop - how does that work?

[J B]

If its modern and usb windows will just install the drivers off windows update automagicly.  If it comes with lots of extra rubbish its best not installing it anyway.  Letting home gear be installed is a extra anyway and opens the school up to paying for expensive home ink and paper as opposed to cheap laser toner. 

 

It is a school/work device, installing all their personal home gear is not really its purpose, you end up with teachers filling their hard drives with personal files and phone backups then complaining they need a space upgrade because it can't cope.  They can generally cope fine if used for their work purpose.

 

 

Sent from my Windows 10 phone

 

From: Alan at Wadestown School
Sent: Wednesday, 27 July 2016 12:20 PM
To: Techies for schools

[Patrick Dunford]

Give them a standard account and require the UAC popup with a separate admin account.

[Andrew Godfrey]

On 27 July 2016 at 07:35, Alan at Wadestown School <alanja...@gmail.com> wrote:

Q1. What's the consensus on this? Do teachers have local admin rights on their teacher laptop at your school?

Yes, our staff do have local admin access.

 

Q2. What are the risks of this (in your understanding)? Obviously this will increase the risk that malware can mess up that particular laptop but are there wider risks than that, for example for the servers?

There is no elevated risk to folder shares on servers as permissions are set dependant on the username accessing the share and not their permissions on the local machine.

The increased risk is mainly to the laptop rather than the servers and the laptop can be quickly imaged and data restored from backups if it is too time consuming or impossible to fix the existing installation.

_______________________________________

 

Andrew Godfrey  |  Network Manager

[Sue Way]

We are a Windows school. Teachers have TELA laptops and I give them Local Admin rights via group policy. 

I have had no problems with staff, I make sure that IT has a really good relationship with staff and they are always welcome to come to the IT office..

We have only had an issue with a couple of Laptops/Staff, usually inadvertently,  but a bit of education and having to go without a laptop for a day while we re-image it and they have never had the issue again.. 

Sue Way | IT Services Director

Wellington Girls' College |

[Julian Davison]

I think it's very important to manage expectations around software install on staff laptops. I have seen a number of schemes successfully deployed, from a 'non IT staff don't have admin access' to 'some non IT staff have admin access on their own machine' to 'all staff have admin access on their own machine'.

It is an important distinction between both shared-used and single-user machines (the former having a more significant impact if admin-access breaks the operation) and also between work computers and home computers. Particularly with TELA laptops it is wise for the school to cover the leasing cost and to consider them as a standard business tool. Similar rules apply to staff laptops as to any other school-owned device - it's for School use, and it's content (files) must adhere to standard school code of conduct.

Both staff-as-admin and IT-only-admin have potential nightmare scenarios in terms of support - which is where expectations come in. If IT do everything, then must be some expectation of timely turn-around (for staff) and that the requests are reasonable and work-related (justifiable).

My experience suggests that in many schools a fair percentage of the staff have no particular interest in admin access. They just want a computer that works reliably. The majority of major issues, in my experience, with staff-as-admin, are caused by staff members children - often acting directly against their parents wishes!

I'd suggest/favour a system which allowed for staff to have admin access to their machines, but as an opt-in. This provides an opportunity to discuss with each staff member some of the implications and things to be wary of.

J,

--

[Andrew Godfrey]

On 28 July 2016 at 09:36, Julian Davison <jul...@davison.org.nz> wrote:

My experience suggests that in many schools a fair percentage of the staff have no particular interest in admin access. They just want a computer that works reliably. The majority of major issues, in my experience, with staff-as-admin, are caused by staff members children - often acting directly against their parents wishes!

I'd suggest/favour a system which allowed for staff to have admin access to their machines, but as an opt-in. This provides an opportunity to discuss with each staff member some of the implications and things to be wary of.

That system sounds like a good idea Julian. Might have to ponder how this may be able get applied so that a teacher can be added as local admin automatically on their own machine but on any other machine they will be added as a standard user. Have you implemented this at cbhs?

[Julian Davison]

Not at CBHS, but I've certainly achieved this elsewhere with Group Policy. It depends on how your OUs are structured, but if staff machines are separate (or you can otherwise filter for your GPO access) then it's fairly easy to add it to an appropriate level. It's not normally specific to a teacher, but group based - which also offers the 'opt-in' facility by virtue of being a member or not.

[WHS Techs]

We run with this option.

Standard user by default, if you come up and see us we make you local admin on your device.

you can create a package if you have SCCM or some other deployment tool to allow your staff group to add themselves as local admin if they need/want it

net localgroup administrators /add whs\staff

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.

[Alan at Wadestown School]

Hi, 

thanks very much for your responses. It was helpful and instructive (and also interesting) to read how other schools handle this.

I've now implemented the group policy UAC change that Matthew mentioned.

And I'll consider changing to a 'local admin on request but not by default' policy.

Alan