A fight for my rights!
February 7, 2011 10:35 AM Subscribe
Please help me retain administrative rights on my work PC.
At my workplace, only those who have a reason for administrator rights to their machines get those rights. "I want it" or "it would be a pain in the ass not to have it" are not reasons. You have to make a case for why such rights are necessary for your work.
This policy is reviewed any time a person gets a new machine or changes operating system. Last week IT sent around an email informing all Vista users that they could have a Win 7 update if they wanted it. I do, but I have administrative rights on my Vista machine, because I got this computer before the policy of limiting those rights was enacted.
What sorts of reasons could a humble college professor give that would necessitate having administrative rights to his office PC? I can't live with a hobbled PC. I'm too prone to tweaking and customizing. But I would like to move to Windows 7. Any ideas? What are some things that a person might want/need to do that can't be done without administrative rights?
At my workplace, only those who have a reason for administrator rights to their machines get those rights. "I want it" or "it would be a pain in the ass not to have it" are not reasons. You have to make a case for why such rights are necessary for your work.
This policy is reviewed any time a person gets a new machine or changes operating system. Last week IT sent around an email informing all Vista users that they could have a Win 7 update if they wanted it. I do, but I have administrative rights on my Vista machine, because I got this computer before the policy of limiting those rights was enacted.
What sorts of reasons could a humble college professor give that would necessitate having administrative rights to his office PC? I can't live with a hobbled PC. I'm too prone to tweaking and customizing. But I would like to move to Windows 7. Any ideas? What are some things that a person might want/need to do that can't be done without administrative rights?
Not a reason, but can you document how many service calls you have had with the helpdesk while having your admin rights?
posted by kellyblah at 10:39 AM on February 7, 2011 [1 favorite]
posted by kellyblah at 10:39 AM on February 7, 2011 [1 favorite]
Find a program that's absolutely necessary to your work that won't work properly without administrator rights. That is, either create or get someone to create a little custom program for you that has that property, and that looks like it's relevant to your field.
(Note: I do not do any programming myself, so I can't determine if that would be a ridiculously huge project, but I remember from my college days that user assistants who helped professors were constantly complaining about all the custom programs that they had to work around, so I don't think anyone would think it odd to find one on your machine.)
posted by ocherdraco at 10:42 AM on February 7, 2011
(Note: I do not do any programming myself, so I can't determine if that would be a ridiculously huge project, but I remember from my college days that user assistants who helped professors were constantly complaining about all the custom programs that they had to work around, so I don't think anyone would think it odd to find one on your machine.)
posted by ocherdraco at 10:42 AM on February 7, 2011
Response by poster: I'm a social scientist. I use a statistics package, but the stats I use are not advanced. I keep all my files on Dropbox. I synch my phone and a Samsung Galaxy Tab. I never need IT because I have administrative rights. But if I didn't I'd be a pain in their ass asking them to install utilities, change fonts around, delete icons, etc. I'm not sure if wearing them out with calls to the help desk would finally cause them to relent.
posted by Crotalus at 10:47 AM on February 7, 2011
posted by Crotalus at 10:47 AM on February 7, 2011
Can't you ask some folks who have admin rights what their reasons were for getting it and use one of those lines (maybe tweaked for your purpose?)
posted by bitdamaged at 10:47 AM on February 7, 2011
posted by bitdamaged at 10:47 AM on February 7, 2011
Do you have to be an admin to install software? If so tell them you are evaluating a number of software packages for use next semester and need to be able to install and remove them.
posted by bitdamaged at 10:49 AM on February 7, 2011
posted by bitdamaged at 10:49 AM on February 7, 2011
Depends a bit on how restrictive the user rights are without admin access. Here at work, you cant install ANY software (even stuff like Acrobat Reader), run a system tool like Defragger, or change your screen/wallpaper background without the admin password. If you have some justifiable reason for needing third-party software as part for your research etc, or wanting the freedom to run a simple scan or defrag without having to call IT, that might fly.
And, of course, there are ways to get around pesky stuff like that, at some risk naturally.
posted by elendil71 at 10:50 AM on February 7, 2011
And, of course, there are ways to get around pesky stuff like that, at some risk naturally.
posted by elendil71 at 10:50 AM on February 7, 2011
There are only two valid reasons to have admin rights. 1. A program you need will not run without it. 2. see 1 above. All of the little tweaks that you want or like are not valid, but you already know that. Since the trend is toward centralized control/administration/security/ etc. IE Remote access for installs and patches, the less you mess with it the better it is for IT types.
posted by Gungho at 10:54 AM on February 7, 2011
posted by Gungho at 10:54 AM on February 7, 2011
I never need IT because I have administrative rights. But if I didn't I'd be a pain in their ass asking them to install utilities, change fonts around, delete icons, etc. I'm not sure if wearing them out with calls to the help desk would finally cause them to relent.
I work in IT, in part supporting social scientists, and am a former social scientist myself. Asking your IT staff to install programs is a legitimate use of their time, because that's what they do, and if they don't want users to have admin privileges, then they're prepared to do it for you. And really, once Dropbox and the synch programs are installed, there's no need for admin privileges for their ongoing use. Our team also restricts users from being administrators, and, in fact, aside from installing applications, we've never found a user who truly needed admin privileges for ongoing functionality. So, it may be worthwhile to just accept it and use your professional IT staff's support as needed, and reconsider if it actually turns out to be a burden on you.
That said, if you really just can't bear to be without admin privileges, the responsible thing to do—and I recommend trying this tack with your IT staff—is to not use an admin account as your primary account. Rather, keep your regular account as a standard user, and have a secondary local admin account that you use to authenticate only when admin privileges are necessary. Your IT staff's principal concern for limiting admin use is security; PCs are infinitely more vulnerable to malware and other crapware when the user is running as an admin. Using a standard account negates those concerns, and having the secondary admin account lets you tweak. With Win 7, you never even have to log in with the admin account (nor should you); you can simply authenticate with it to do what is necessary.
posted by The Michael The at 11:02 AM on February 7, 2011
I work in IT, in part supporting social scientists, and am a former social scientist myself. Asking your IT staff to install programs is a legitimate use of their time, because that's what they do, and if they don't want users to have admin privileges, then they're prepared to do it for you. And really, once Dropbox and the synch programs are installed, there's no need for admin privileges for their ongoing use. Our team also restricts users from being administrators, and, in fact, aside from installing applications, we've never found a user who truly needed admin privileges for ongoing functionality. So, it may be worthwhile to just accept it and use your professional IT staff's support as needed, and reconsider if it actually turns out to be a burden on you.
That said, if you really just can't bear to be without admin privileges, the responsible thing to do—and I recommend trying this tack with your IT staff—is to not use an admin account as your primary account. Rather, keep your regular account as a standard user, and have a secondary local admin account that you use to authenticate only when admin privileges are necessary. Your IT staff's principal concern for limiting admin use is security; PCs are infinitely more vulnerable to malware and other crapware when the user is running as an admin. Using a standard account negates those concerns, and having the secondary admin account lets you tweak. With Win 7, you never even have to log in with the admin account (nor should you); you can simply authenticate with it to do what is necessary.
posted by The Michael The at 11:02 AM on February 7, 2011
There are only two valid reasons to have admin rights.
At the risk of derailing, I'm not so sure I agree. There's a certain value in allowing employees to work in an environment that they find pleasant, and much of that is related to the ability to customize that environment and make it feel like it's their own.
Rather, I'd argue that there's only one valid reason for locking down systems: The holistic cost to the organization of leaving things unlocked is greater than the benefit. If Crotalus would not be a support burden, if s/he would feel happier and more productive with administrative rights, and if there aren't mitigating factors such as legal concerns, then I'd be willing to bet that granting rights would be in everyone's best interest. And that's the tack I would take, were I in Crotalus's shoes.
posted by SemiSophos at 11:13 AM on February 7, 2011 [1 favorite]
At the risk of derailing, I'm not so sure I agree. There's a certain value in allowing employees to work in an environment that they find pleasant, and much of that is related to the ability to customize that environment and make it feel like it's their own.
Rather, I'd argue that there's only one valid reason for locking down systems: The holistic cost to the organization of leaving things unlocked is greater than the benefit. If Crotalus would not be a support burden, if s/he would feel happier and more productive with administrative rights, and if there aren't mitigating factors such as legal concerns, then I'd be willing to bet that granting rights would be in everyone's best interest. And that's the tack I would take, were I in Crotalus's shoes.
posted by SemiSophos at 11:13 AM on February 7, 2011 [1 favorite]
Response by poster: For IT people, would making a case for adminstrative rights like one that SemiSophos proposes succeed in your shop? I'm sure my department chair (and dean) would chime in and agree that allowing me to use my computer as I see fit is important to me.
posted by Crotalus at 11:23 AM on February 7, 2011
posted by Crotalus at 11:23 AM on February 7, 2011
With Win 7, you never even have to log in with the admin account (nor should you); you can simply authenticate with it to do what is necessary.
Er. If you have UAC enabled, it's perfectly OK to do this. Quite comparable to the 'sudo' system used by Mac OS and most Linux distributions these days. Even if you're logged in as a user with Admin privileges, programs are not given admin rights, unless they are specifically elevated via UAC.
Using a normal account as your everyday login might be a bit better, because you're reprompted for an admin account/password whenever UAC wants to elevate an app, although I think you'll find that the security benefits to this approach are quite minimal.
posted by schmod at 11:26 AM on February 7, 2011 [1 favorite]
Er. If you have UAC enabled, it's perfectly OK to do this. Quite comparable to the 'sudo' system used by Mac OS and most Linux distributions these days. Even if you're logged in as a user with Admin privileges, programs are not given admin rights, unless they are specifically elevated via UAC.
Using a normal account as your everyday login might be a bit better, because you're reprompted for an admin account/password whenever UAC wants to elevate an app, although I think you'll find that the security benefits to this approach are quite minimal.
posted by schmod at 11:26 AM on February 7, 2011 [1 favorite]
Can you elaborate on how strict regular user privileges are in your department? I work in an academic setting with similar restrictions, and it honestly almost never comes up. My status allows me to adjust my desktop wallpaper, add/delete icons from the desktop, change font settings, and even add add-ons to Firefox whenever I want. If I want a free program installed (or if I want a program updated when they haven't pushed the update out to all users yet), they're quick to do it for me without question.
Perhaps they're more strict in your department, but I can definitely understand them wanting to tighten the reins on people, not necessarily you, who are too quick to fill their machines with garbage-ware.
posted by scarykarrey at 11:28 AM on February 7, 2011
Perhaps they're more strict in your department, but I can definitely understand them wanting to tighten the reins on people, not necessarily you, who are too quick to fill their machines with garbage-ware.
posted by scarykarrey at 11:28 AM on February 7, 2011
Response by poster: We cannot add/delete/rename desktop icons. We cannot install a printer driver, active X control, font, etc.
posted by Crotalus at 11:29 AM on February 7, 2011
posted by Crotalus at 11:29 AM on February 7, 2011
There's a certain value in allowing employees to work in an environment that they find pleasant, and much of that is related to the ability to customize that environment and make it feel like it's their own.
There's also an increased support cost associated with that customization when support staff wind up having to help folks with vastly different configurations\desktop environments. Whether or not Crotalus is one of those users, it's a perfectly valid reason for not granting end users administrative privileges.
I know where I work (I'm the guy tasked with implementing our user policies), management doesn't consider making someone happier a mitigating circumstance, no matter how I feel about it. We distribute most of our standard applications automatically, obviating the need for administrative rights, and reserve exceptions mostly for developers who need to manually install\uninstall applications frequently.
posted by JaredSeth at 11:30 AM on February 7, 2011
There's also an increased support cost associated with that customization when support staff wind up having to help folks with vastly different configurations\desktop environments. Whether or not Crotalus is one of those users, it's a perfectly valid reason for not granting end users administrative privileges.
I know where I work (I'm the guy tasked with implementing our user policies), management doesn't consider making someone happier a mitigating circumstance, no matter how I feel about it. We distribute most of our standard applications automatically, obviating the need for administrative rights, and reserve exceptions mostly for developers who need to manually install\uninstall applications frequently.
posted by JaredSeth at 11:30 AM on February 7, 2011
Tell them you have software which requires monthly updates that requires admin rights most IT people want less work not more and as long as your computer is not junked up they won't think twice about doing it
posted by tke248 at 11:31 AM on February 7, 2011
posted by tke248 at 11:31 AM on February 7, 2011
After refreshing, even I'll admit that sounds a bit draconian. The driver/control/font parts don't surprise me (the first two because they're both potential vectors for malware and the latter because MS stores fonts in the Windows directory) but not being able to add shortcuts to your desktop? That's a bit much.
posted by JaredSeth at 11:34 AM on February 7, 2011
posted by JaredSeth at 11:34 AM on February 7, 2011
I had the same dilemma at work and solved it in two ways. One, by letting the IT staff know that I would be continually evaluating software packages and therefore always installing/uninstalling things, and Two, by refusing to hand in my laptop to get "upgraded" and having my policy changed. I know you want the upgrade to Win7, but i'm happier with my privileges and, so far, IT has left me alone because I don't burden them with malware/tech problems and because i've justified my reasoning with really good results, so management leaves me alone despite the IT dept. Now, after a little time, I have a "live and let live" status with IT and I still get upgrades - but maintain my admin status. Get a good relationship going, but don't back down on what's really important to you.
posted by alchemist at 11:49 AM on February 7, 2011
posted by alchemist at 11:49 AM on February 7, 2011
How about you just include the apparent fact that you are competent to administer your own machine, as evidenced by your support history. And perhaps it would be in order to remind them that they are "support", not the show. IT can have a way of twisting things around so folks act like an organization exists to employ IT. Failing that, tell them to get their shit out of your office, and put in your own box.
posted by Goofyy at 11:53 AM on February 7, 2011 [1 favorite]
posted by Goofyy at 11:53 AM on February 7, 2011 [1 favorite]
And perhaps it would be in order to remind them that they are "support", not the show.
Um, no. The IT department at any institution does, in fact, run the show. It is their network, their environment, their tools, and they can lock down said tools and equipment as they see fit.
For IT people, would making a case for adminstrative rights like one that SemiSophos proposes succeed in your shop?
Not even remotely. There is a vast difference between "using your machine as you see fit" and "tweaking fonts, resolutions, and other things to make things look the way I want them to", and the former is, in a nutshell, why machines are locked down in the first place.
To oversimplify greatly, let's say that there are five machines in your office network. Each of those machines has been set up to run five programs, the same programs on each machine. The IT staff then has an easily serviceable model - they have five configurations to support, but each one is essentially the same so in reality they're delivering one thing to all users and maintaining one thing.
Now, say that the user of one of the machines makes a case to be set up as an admin on the machine they use. This particular user only really ever uses four of the five installed programs, so s/he figures "I'll just uninstall Program 5, because I never use it and it's in my way".
But if Program 5 shares settings, data, or any configuration with Programs 1-4, then you've broken your configuration, and now, going forward, the administrators have two profiles to maintain. Multiply this across a 20+ machine network, and you can see that it's unsustainable to allow people to do whatever they want to their machines, from a support and maintenance standpoint.
Failing that, tell them to get their shit out of your office, and put in your own box.
Again, no. One of the points of having a network is (oversimplifying again) to provide an environment in which multiple machines operate all necessary programs as efficiently as possible, and if people bring their own machines in, and that machine does not conform to the minimum specs of the network, it will not work efficiently.
posted by pdb at 12:19 PM on February 7, 2011 [5 favorites]
Um, no. The IT department at any institution does, in fact, run the show. It is their network, their environment, their tools, and they can lock down said tools and equipment as they see fit.
For IT people, would making a case for adminstrative rights like one that SemiSophos proposes succeed in your shop?
Not even remotely. There is a vast difference between "using your machine as you see fit" and "tweaking fonts, resolutions, and other things to make things look the way I want them to", and the former is, in a nutshell, why machines are locked down in the first place.
To oversimplify greatly, let's say that there are five machines in your office network. Each of those machines has been set up to run five programs, the same programs on each machine. The IT staff then has an easily serviceable model - they have five configurations to support, but each one is essentially the same so in reality they're delivering one thing to all users and maintaining one thing.
Now, say that the user of one of the machines makes a case to be set up as an admin on the machine they use. This particular user only really ever uses four of the five installed programs, so s/he figures "I'll just uninstall Program 5, because I never use it and it's in my way".
But if Program 5 shares settings, data, or any configuration with Programs 1-4, then you've broken your configuration, and now, going forward, the administrators have two profiles to maintain. Multiply this across a 20+ machine network, and you can see that it's unsustainable to allow people to do whatever they want to their machines, from a support and maintenance standpoint.
Failing that, tell them to get their shit out of your office, and put in your own box.
Again, no. One of the points of having a network is (oversimplifying again) to provide an environment in which multiple machines operate all necessary programs as efficiently as possible, and if people bring their own machines in, and that machine does not conform to the minimum specs of the network, it will not work efficiently.
posted by pdb at 12:19 PM on February 7, 2011 [5 favorites]
Do you use programs written by others in your field? A collaborator will send data in an unusual format, so I'll have to find and install an utility written by a grad student or professor to change the formatting. New algorithms for data analysis are being published constantly in my field and these are required by the journals to be available for others to use, so if I want to keep up, I get a lot of programs that way. I can't see the IT staff stopping by at 9 pm, when I realize I need a small program to finish something up for a deadline.
Maybe you have similar needs? When you review a manuscript, you might need to get the software that the authors used to make sure the statistics were done correctly, for instance. Maybe you need to test some simulation software for your teaching.
posted by SandiBeech at 12:20 PM on February 7, 2011 [1 favorite]
Maybe you have similar needs? When you review a manuscript, you might need to get the software that the authors used to make sure the statistics were done correctly, for instance. Maybe you need to test some simulation software for your teaching.
posted by SandiBeech at 12:20 PM on February 7, 2011 [1 favorite]
Stoneweaver's got it. If they will allow you to stay on Vista, do so.
posted by pdb at 12:24 PM on February 7, 2011
posted by pdb at 12:24 PM on February 7, 2011
Why not cultivate a contact in IT? In most organizations, IT is a cost, and owns nothing; there are certainly as many geeks who respect your desire for control as there are employees who imagine they produce anything. The former may help you gather facts or provide examples of other successful superusers.
Your business case basically is all about money, money, money. Figure out the increase support cost for you not to have admin, including the dollar value of your unproductive time while you wait for IT to show up to do what you need.
If neither of these things work, either opt out by using your own hardware, or don't go for the upgrade. What does Win7 do that Vista won't?
posted by Hylas at 12:56 PM on February 7, 2011
Your business case basically is all about money, money, money. Figure out the increase support cost for you not to have admin, including the dollar value of your unproductive time while you wait for IT to show up to do what you need.
If neither of these things work, either opt out by using your own hardware, or don't go for the upgrade. What does Win7 do that Vista won't?
posted by Hylas at 12:56 PM on February 7, 2011
There's also an increased support cost associated with that customization
Absolutely. I'm not arguing that there's no cost to allowing users to admin their own boxes, but rather that the administrative savings must be greater than the employee's loss in productivity in order for there to be a compelling economic case. I'm not sure what the balance is for Crotalus, but at the end of the day, if locking him down costs the organization more than it saves, then it doesn't make sense.
posted by SemiSophos at 1:10 PM on February 7, 2011
Absolutely. I'm not arguing that there's no cost to allowing users to admin their own boxes, but rather that the administrative savings must be greater than the employee's loss in productivity in order for there to be a compelling economic case. I'm not sure what the balance is for Crotalus, but at the end of the day, if locking him down costs the organization more than it saves, then it doesn't make sense.
posted by SemiSophos at 1:10 PM on February 7, 2011
The desktop icon thing is veering into BOFH territory. If your department head makes a stink, you'll probably eventually get your way.
I'm an IT guy, and that all sounds nuts. When we have users who make these requests, we first make sure that they are not going to use admin rights to blatantly misuse their systems (ie. they have a vague notion of how to operate a computer), then make them promise to be careful, make lots of backups, and understand that we will re-image their system if they do manage to completely gunk it up.
posted by schmod at 1:59 PM on February 7, 2011
I'm an IT guy, and that all sounds nuts. When we have users who make these requests, we first make sure that they are not going to use admin rights to blatantly misuse their systems (ie. they have a vague notion of how to operate a computer), then make them promise to be careful, make lots of backups, and understand that we will re-image their system if they do manage to completely gunk it up.
posted by schmod at 1:59 PM on February 7, 2011
As an IT support person myself, I agree with limiting administrative access to end users for many of the reasons others have provided above.
It's important to remember that this computer, though you use it, is not yours. The powers that be are entitled to manage it as they deem necessary in order to maintain a consistent and predictable (as possible) support environment. Assuming your IT department is competent, timely, and reasonable, I would think you could get by just fine without the administrative access.
If it's still and issue for you, bring in your own PC and do the majority of your work on it, off domain.
posted by karizma at 2:10 PM on February 7, 2011
It's important to remember that this computer, though you use it, is not yours. The powers that be are entitled to manage it as they deem necessary in order to maintain a consistent and predictable (as possible) support environment. Assuming your IT department is competent, timely, and reasonable, I would think you could get by just fine without the administrative access.
If it's still and issue for you, bring in your own PC and do the majority of your work on it, off domain.
posted by karizma at 2:10 PM on February 7, 2011
I'm a social scientist in a university setting.
In an environment as locked-down as you describe, I would be sorely tempted to just write off IT as (like much in the realm of university administration) primarily a hindrance than a service, install my own OS w/ an admin and normal account, and go from there. The downside would be that you would have to manage your own pc.
I think the real answer to your question, though, is that if your Vista install is stable, then Win7 doesn't really add enough new to the picture to be worth a hassle dealing with IT. I'd leave well enough alone.
If you really want the hassle, ISTR people having a lot of trouble getting R to work well in a really locked-down setting. So you might start using R.
Again, no. One of the points of having a network is (oversimplifying again) to provide an environment in which multiple machines operate all necessary programs as efficiently as possible, and if people bring their own machines in, and that machine does not conform to the minimum specs of the network, it will not work efficiently.
Almost every university in the country will allow students to connect wirelessly from any laptop, so that argument doesn't hold the slightest bit of water in this context. They are, with virtual certainty, already allowing a wide array of machines with a variety of OSes and running a wild mix of software to use the network.
posted by ROU_Xenophobe at 2:15 PM on February 7, 2011
In an environment as locked-down as you describe, I would be sorely tempted to just write off IT as (like much in the realm of university administration) primarily a hindrance than a service, install my own OS w/ an admin and normal account, and go from there. The downside would be that you would have to manage your own pc.
I think the real answer to your question, though, is that if your Vista install is stable, then Win7 doesn't really add enough new to the picture to be worth a hassle dealing with IT. I'd leave well enough alone.
If you really want the hassle, ISTR people having a lot of trouble getting R to work well in a really locked-down setting. So you might start using R.
Again, no. One of the points of having a network is (oversimplifying again) to provide an environment in which multiple machines operate all necessary programs as efficiently as possible, and if people bring their own machines in, and that machine does not conform to the minimum specs of the network, it will not work efficiently.
Almost every university in the country will allow students to connect wirelessly from any laptop, so that argument doesn't hold the slightest bit of water in this context. They are, with virtual certainty, already allowing a wide array of machines with a variety of OSes and running a wild mix of software to use the network.
posted by ROU_Xenophobe at 2:15 PM on February 7, 2011
The same thing happened to me about 2 years ago. They changed our computers, had a new policy and I lost admin access. So I politely contacted them every time I needed new software installed.
And updated.
And a file copied to that folder I couldn't access.
And eventually they gave me access to an admin account so I could manage it myself.
(And now I can delete that annoying Adobe Acrobat icon that pops on my desktop every update)
But I don't think tweaking my system would have been reason enough to get it.
posted by domi_p at 2:21 PM on February 7, 2011
And updated.
And a file copied to that folder I couldn't access.
And eventually they gave me access to an admin account so I could manage it myself.
(And now I can delete that annoying Adobe Acrobat icon that pops on my desktop every update)
But I don't think tweaking my system would have been reason enough to get it.
posted by domi_p at 2:21 PM on February 7, 2011
I'm currently part of IT at an university and understand what you're facing here. One of the biggest hurdles we face in our department is securing our campus, while also ensuring that the same PCs can be usable for learning and all sorts of things that will help teach our students.
I think in order to effectively argue your desire to have local administrator rights, you first have to have the right perspective. And you'll only gain that perspective by having a real working knowledge as to why they're reducing rights in the first place.
Firstly, this isn't IT being against you, or more specifically is not a case of not trusting you. The target of distrust is actually much simpler than that, and is directly towards administrator rights itself. Having administrator rights opens up a Pandora's box of vulnerabilities that most computer users have no idea even exist. Because universities are traditionally open, they are common targets for malicious programmers. We are the low laying fruit, and all it takes is a simple misclick to accidently kick off a worm that can spread through the network to steal private data, SSNs, etc depending on the computers affected. With admin rights you're particularly susceptible to rootkits (which are pieces of software that are able to get to the core of your operating system and virtually hide all of their activities). Rootkits often get past up to date virus scanners with the greatest of ease. Yep...it's something to keep you up at night....
This is one of the reasons we're seeing Windows 7 as a saving grace for helping solve this issue, as it is much more friendly to non administrators. It's an opportunity to allow the paradigm of secure computing without causing as much inconvenience as previous operating systems would have...
But we're being a bit more cautious about it at my university. We've looked into software based escalation services such as Avecto and Beyond Trust, which will help allow us to reduce our vulnerability footprint, while also help ensure that we're not taking too much usability. (the workaround until then is a local administrator account that's used only when needed). What we've ultimately ended up with is a site licence for Beyond Trust's Powerbroker...which allows us to escalate rights and features within each desktop to allow software and features within basic user rights. This makes the escalation specific....allowing the good things, and casting aside the bad stuff.
Even within our own department we want to remove ourselves from having administrator rights as our default account right. For day to day activities running as admin is just not a wise thing to do, especially with internet access. Virus scanners only pick up a fraction of threats, and even less of the 0 day vulnerabilities. For our faculty, we're facing the possibility of stolen faculty credentials. For example. If you teach in a lab and log into a PC there with a keylogger, a student could get your credentials and log in as you to change their grades. If you're an administrator of your PC they could also connect to your PC's admin share (\\mypc\c$) and steal anything you have stored there....like test answers etc....or simply drop files on your hard drive remotely that'll run when you boot up next time. Without admin rights, that part would not possible...and the student would have less leverage. If you don't believe this is happening, ask your IT department if there have been cases....its very likely they've had to respond to some already.
So this has to be your perspective on this issue. It's not IT vs. faculty. And they're very likely *not* intending to make your computer experience harder or more frustrating. This is a well needed paradigm shift. You're going to have to acknowledge that you understand the risks to your PC and the PCs within your network if you get a worm or virus. You have to acknowledge that you're not above getting infected, even though you might not regularly go on the internet (with SEO exploits its easy to get infected these days without knowing, even while doing innocent google searches). Granted Windows 7 is far more secure as an OS than its predecessors. But there are still risks, and there are unknowns that get more sophisticated by every passing day. (following CERT reports is enough to make anyone paranoid)
Opt for a local admin account if possible. And agree to only use it when you want to make a change. Another option, if you want full control of a PC environment...see if they would be willing to install a VirtualBox on your machine that you would be fully responsible for if things go bad. The worst thing to do is to create tension over this change, as you can bet they're already bracing for resistance. No one likes their "rights" being taken away. But work with them on this....its likely something you and IT can work to solve together, while also making the local network safe for everyone else. See if you can get them to look at products such as BeyondTrust or Avecto to lessen the impact of reduced rights to academic software. Also see if they might allow you to run your own copy of Windows within a NAT'ed VirtualBox that you can tinker with and reinstall on your own if needed.
If they're anything like our dept, they'd be happy to help make things usable that need to be used.
posted by samsara at 2:25 PM on February 7, 2011 [2 favorites]
I think in order to effectively argue your desire to have local administrator rights, you first have to have the right perspective. And you'll only gain that perspective by having a real working knowledge as to why they're reducing rights in the first place.
Firstly, this isn't IT being against you, or more specifically is not a case of not trusting you. The target of distrust is actually much simpler than that, and is directly towards administrator rights itself. Having administrator rights opens up a Pandora's box of vulnerabilities that most computer users have no idea even exist. Because universities are traditionally open, they are common targets for malicious programmers. We are the low laying fruit, and all it takes is a simple misclick to accidently kick off a worm that can spread through the network to steal private data, SSNs, etc depending on the computers affected. With admin rights you're particularly susceptible to rootkits (which are pieces of software that are able to get to the core of your operating system and virtually hide all of their activities). Rootkits often get past up to date virus scanners with the greatest of ease. Yep...it's something to keep you up at night....
This is one of the reasons we're seeing Windows 7 as a saving grace for helping solve this issue, as it is much more friendly to non administrators. It's an opportunity to allow the paradigm of secure computing without causing as much inconvenience as previous operating systems would have...
But we're being a bit more cautious about it at my university. We've looked into software based escalation services such as Avecto and Beyond Trust, which will help allow us to reduce our vulnerability footprint, while also help ensure that we're not taking too much usability. (the workaround until then is a local administrator account that's used only when needed). What we've ultimately ended up with is a site licence for Beyond Trust's Powerbroker...which allows us to escalate rights and features within each desktop to allow software and features within basic user rights. This makes the escalation specific....allowing the good things, and casting aside the bad stuff.
Even within our own department we want to remove ourselves from having administrator rights as our default account right. For day to day activities running as admin is just not a wise thing to do, especially with internet access. Virus scanners only pick up a fraction of threats, and even less of the 0 day vulnerabilities. For our faculty, we're facing the possibility of stolen faculty credentials. For example. If you teach in a lab and log into a PC there with a keylogger, a student could get your credentials and log in as you to change their grades. If you're an administrator of your PC they could also connect to your PC's admin share (\\mypc\c$) and steal anything you have stored there....like test answers etc....or simply drop files on your hard drive remotely that'll run when you boot up next time. Without admin rights, that part would not possible...and the student would have less leverage. If you don't believe this is happening, ask your IT department if there have been cases....its very likely they've had to respond to some already.
So this has to be your perspective on this issue. It's not IT vs. faculty. And they're very likely *not* intending to make your computer experience harder or more frustrating. This is a well needed paradigm shift. You're going to have to acknowledge that you understand the risks to your PC and the PCs within your network if you get a worm or virus. You have to acknowledge that you're not above getting infected, even though you might not regularly go on the internet (with SEO exploits its easy to get infected these days without knowing, even while doing innocent google searches). Granted Windows 7 is far more secure as an OS than its predecessors. But there are still risks, and there are unknowns that get more sophisticated by every passing day. (following CERT reports is enough to make anyone paranoid)
Opt for a local admin account if possible. And agree to only use it when you want to make a change. Another option, if you want full control of a PC environment...see if they would be willing to install a VirtualBox on your machine that you would be fully responsible for if things go bad. The worst thing to do is to create tension over this change, as you can bet they're already bracing for resistance. No one likes their "rights" being taken away. But work with them on this....its likely something you and IT can work to solve together, while also making the local network safe for everyone else. See if you can get them to look at products such as BeyondTrust or Avecto to lessen the impact of reduced rights to academic software. Also see if they might allow you to run your own copy of Windows within a NAT'ed VirtualBox that you can tinker with and reinstall on your own if needed.
If they're anything like our dept, they'd be happy to help make things usable that need to be used.
posted by samsara at 2:25 PM on February 7, 2011 [2 favorites]
The simplest (but not cheapest) option is to obtain your own copy of Win7 and do the upgrade yourself.
Last time I dealt with this (IT staff not realizing that a prof should be trusted with his own computer) I dual-booted the thing with Linux, so I could do whatever the heck I wanted with it without their intervention. When I left the position, I removed the Linux partition and left the system just as locked down as it was when I found it.
posted by caution live frogs at 2:35 PM on February 7, 2011
Last time I dealt with this (IT staff not realizing that a prof should be trusted with his own computer) I dual-booted the thing with Linux, so I could do whatever the heck I wanted with it without their intervention. When I left the position, I removed the Linux partition and left the system just as locked down as it was when I found it.
posted by caution live frogs at 2:35 PM on February 7, 2011
I think in order to effectively argue your desire to have local administrator rights, you first have to have the right perspective. And you'll only gain that perspective by having a real working knowledge as to why they're reducing rights in the first place.
They're reducing your rights because it makes their lives easier in one way or another, and because they can.
I get the security arguments. But this argument about denying admin rights to faculty boxes isn't remotely defensible as a serious measure unless the university is also requiring all those boxes in the dorms to be locked down, and (to a lesser extent) all those laptops that use the wireless network to be locked down. In an environment where there are already many, many boxes connected to the network that already have admin access and that are self-managed by clueless people, an argument that I can't be allowed to install my own software is just unsupportable. It's taking away my scissors so I can't cut myself while at the same time I'm bleeding out from my femoral.
So this has to be your perspective on this issue. It's not IT vs. faculty. And they're very likely *not* intending to make your computer experience harder or more frustrating.
I don't know where Crotalus works and I've never had to deal with these sorts of jerks myself, but this is not universal. I've known / heard from people where IT insisted on taking someone's box for several days to install a piece of software, or where IT wouldn't install (free) software because they doubted the need for it (R, if I recall, or even a specific R package -- we have SPSS for that, so you shouldn't need that), and so on.
I don't doubt that you're in one of the good shops or that there are way more good shops than bad shops. But there exist bad shops.
posted by ROU_Xenophobe at 3:08 PM on February 7, 2011
They're reducing your rights because it makes their lives easier in one way or another, and because they can.
I get the security arguments. But this argument about denying admin rights to faculty boxes isn't remotely defensible as a serious measure unless the university is also requiring all those boxes in the dorms to be locked down, and (to a lesser extent) all those laptops that use the wireless network to be locked down. In an environment where there are already many, many boxes connected to the network that already have admin access and that are self-managed by clueless people, an argument that I can't be allowed to install my own software is just unsupportable. It's taking away my scissors so I can't cut myself while at the same time I'm bleeding out from my femoral.
So this has to be your perspective on this issue. It's not IT vs. faculty. And they're very likely *not* intending to make your computer experience harder or more frustrating.
I don't know where Crotalus works and I've never had to deal with these sorts of jerks myself, but this is not universal. I've known / heard from people where IT insisted on taking someone's box for several days to install a piece of software, or where IT wouldn't install (free) software because they doubted the need for it (R, if I recall, or even a specific R package -- we have SPSS for that, so you shouldn't need that), and so on.
I don't doubt that you're in one of the good shops or that there are way more good shops than bad shops. But there exist bad shops.
posted by ROU_Xenophobe at 3:08 PM on February 7, 2011
Response by poster: I get the security arguments. But this argument about denying admin rights to faculty boxes isn't remotely defensible as a serious measure unless the university is also requiring all those boxes in the dorms to be locked down, and (to a lesser extent) all those laptops that use the wireless network to be locked down.
This is underscored by the fact that at our university, faculty who opt for laptops over desktops have admin rights. You can't lock down a computer that the users takes from work to home and back. (I'd rather not go the laptop route because they are far less powerful than the desktop client they olffer.) Also, Mac users have admin rights. And no one is even talking about coming after my administrative rights now. It only becomes an issue when I want to change OS or machine. That is why, with all apologies to IT folks, I think that our IT folks are more interested in reducing their workload than they are about security.
posted by Crotalus at 3:35 PM on February 7, 2011
This is underscored by the fact that at our university, faculty who opt for laptops over desktops have admin rights. You can't lock down a computer that the users takes from work to home and back. (I'd rather not go the laptop route because they are far less powerful than the desktop client they olffer.) Also, Mac users have admin rights. And no one is even talking about coming after my administrative rights now. It only becomes an issue when I want to change OS or machine. That is why, with all apologies to IT folks, I think that our IT folks are more interested in reducing their workload than they are about security.
posted by Crotalus at 3:35 PM on February 7, 2011
They're reducing your rights because it makes their lives easier in one way or another, and because they can.
I hear ya Xeno. We desktop folks get that feeling from time to time when the server team makes changes that dictate our abilities to support things. It really comes down to communication of what's being changed, and why that change is occuring. Without that common curteousy there's an instinctive reaction to feel threatened or defensive over the change. Lack of communication builds mistrust....everytime. This is definitely a sensitivity issue, and we've learned were I work to take it very seriously. (Lack of communication appears to be the case where the OP works as they're reducing rights the "hard way" by just getting it done. Not the way we'd approach it by a long shot.)
Here's the deal however, there's more to the reduced rights story. Many universities are facing impending state driven audit requirements as well that are going to force all IT departments to reduce admin rights very soon anyway. It's not just a case of random computer geeks wondering how they can make their own lives easier at the expense of others. In all honesty reducing admin rights is a painful and time consuming process for all parties involved. It requires testing...retesting...tweaking...workarounds...basically a plethora of things that have usually made us give up in the past and accept the risk of users as local admins.
The cons of not doing so outweigh the pros for everyone...even tho its not readily seen...and that's the main challenge IT folks face, is getting the message across about what is at stake. Believe me when I say that any IT department is looking out for their entire company/university when reducing admin rights, not just themselves...reduced rights can often be more work than the alternative.
An incident like one of the few that have happened at Penn State not only makes their IT department look bad, it makes the university look bad as a whole as they have to do a full disclosure. The disclosure makes parents and students alike question whether they feel their identities are safe by enrolling. Not something to be taken lightly. Granted Penn is an example of a compromised system in a sensitive area....a uniform lowering of admin rights is still the way to go because it's hard to know what risks are involved until they are exposed.
I don't know where Crotalus works and I've never had to deal with these sorts of jerks myself, but this is not universal.
Sadly I have to agree. It's hard being an optimist when I see other IT depts hiring people that have no customer support skills or concept of good communication/work ethics. I have atleast one BOFH within my own department.....its a work in progress I hope to help remedy someday :)
posted by samsara at 3:46 PM on February 7, 2011
I hear ya Xeno. We desktop folks get that feeling from time to time when the server team makes changes that dictate our abilities to support things. It really comes down to communication of what's being changed, and why that change is occuring. Without that common curteousy there's an instinctive reaction to feel threatened or defensive over the change. Lack of communication builds mistrust....everytime. This is definitely a sensitivity issue, and we've learned were I work to take it very seriously. (Lack of communication appears to be the case where the OP works as they're reducing rights the "hard way" by just getting it done. Not the way we'd approach it by a long shot.)
Here's the deal however, there's more to the reduced rights story. Many universities are facing impending state driven audit requirements as well that are going to force all IT departments to reduce admin rights very soon anyway. It's not just a case of random computer geeks wondering how they can make their own lives easier at the expense of others. In all honesty reducing admin rights is a painful and time consuming process for all parties involved. It requires testing...retesting...tweaking...workarounds...basically a plethora of things that have usually made us give up in the past and accept the risk of users as local admins.
The cons of not doing so outweigh the pros for everyone...even tho its not readily seen...and that's the main challenge IT folks face, is getting the message across about what is at stake. Believe me when I say that any IT department is looking out for their entire company/university when reducing admin rights, not just themselves...reduced rights can often be more work than the alternative.
An incident like one of the few that have happened at Penn State not only makes their IT department look bad, it makes the university look bad as a whole as they have to do a full disclosure. The disclosure makes parents and students alike question whether they feel their identities are safe by enrolling. Not something to be taken lightly. Granted Penn is an example of a compromised system in a sensitive area....a uniform lowering of admin rights is still the way to go because it's hard to know what risks are involved until they are exposed.
I don't know where Crotalus works and I've never had to deal with these sorts of jerks myself, but this is not universal.
Sadly I have to agree. It's hard being an optimist when I see other IT depts hiring people that have no customer support skills or concept of good communication/work ethics. I have atleast one BOFH within my own department.....its a work in progress I hope to help remedy someday :)
posted by samsara at 3:46 PM on February 7, 2011
At the last business network I ran, I gave anyone who really wanted it full local admin access, on XP and Vista boxes, and then I immediately blocked their IP and MAC addresses from anything but DHCP and very local network addresses at the first managed switch that handled their traffic. They could do anything they liked with their local machine, and they even got a private IP network address, and maybe some domain services on small subnets (printers, etc.). But no traffic from that machine across the business network, or to outside networks (Internet), until/unless they accepted a hardware firewall between that machine and the network, that ran my rules/filters/policies (or equivalents on the switch). A $25 Netgear SOHO router on their desk, managed remotely only, was a cheap, quick end to such discussions, generally. The list of "crisis point" users was never more than single digits in a network of a few hundred users, and they were quickly isolated from the network anytime it was necessary, from a central management station, until I got around to figuring out what Trojan they'd gotten, that was trying to recruit them into yet another Russian slave network.
You might suggest that to your IT department. They maintain unilateral control of their network and security, and you maintain control of your desktop; as the kids say these days "win/win."
posted by paulsc at 5:00 PM on February 7, 2011
You might suggest that to your IT department. They maintain unilateral control of their network and security, and you maintain control of your desktop; as the kids say these days "win/win."
posted by paulsc at 5:00 PM on February 7, 2011
« Older English-language journalism jobs abroad? | We really should have said something earlier Newer »
This thread is closed to new comments.
posted by Brandon Blatcher at 10:38 AM on February 7, 2011