I can’t speak to the specific technical claim, but university IT departments are increasingly demanding control over faculty and staff computing resources. While some of this is bureaucratic overreach, it is true that a more unified security approach is necessary to avoid various disasters like ransomware attacks and the like.

My question would be “shouldn’t I have a computer less than 6 years old?” and see who should issue you a new one.
posted by GenjiandProust at 6:23 AM on February 3 [26 favorites]

Sorry, I should have added: it really doesn’t matter whether their assertion is strictly true or not, since, if you aren’t in. Implanted with their policies, they can almost certainly suspend your machine’s access to university systems.
posted by GenjiandProust at 6:27 AM on February 3 [2 favorites]

Mac/Linux person so I would defer to others, but the bulletin may be prompted by a poor setup regime circa when your PC was provisioned for you. It could be that they set it up where some people use an account with admin privs? Just renaming it and using the high-privileged account as the daily driver.

It would be interesting to know if there were next steps in the bulletin. Are they asking for the hardware back, saying that an automatic update will occur, or that accounts will be denied access to the uni network, etc.
posted by drowsy at 6:28 AM on February 3 [6 favorites]

…also +1 to what GandP posted above.
posted by drowsy at 6:32 AM on February 3 [1 favorite]

It's not nonsense.

It's very surprising that an organisation with 4000 users would hand you a computer with admin rights in the first place. If I were them I would be taking the machine back or withdrawing admin privileges as soon as possible.

Even if some of their rhetoric could be overblown.
posted by Klipspringer at 6:34 AM on February 3 [22 favorites]

Let me give you the opposite perspective, from private industry -- I remain shocked that my login to the machine provided by my current job has admin privileges. My computers at previous jobs were absolutely not like that, which meant installing most software required permission from IT ahead of time or even with them standing literally beside you.
posted by AbelMelveny at 6:37 AM on February 3 [6 favorites]

By nature of your work, you likely have privileged access to at least some university resources. You could get owned (phishing is generally most likely but potentially by installing something bad using admin privileged) and then your computer would become a way for a bad actor to use your access to get access to those resources

It's not that you having admin access on your computer changes that access you have in your university's network, it just makes it easier for you to accidentally get owned by someone who uses you to that end.
posted by wooh at 6:46 AM on February 3 [5 favorites]

It's more that your account having admin privileges provides malware with a more effective springboard into the rest of the network, compared to a more restricted account.
posted by june_dodecahedron at 6:48 AM on February 3 [24 favorites]

+1 t what june_dodecahedron said.
tl;dr no, they're definitely not being unreasonable, and no (professional, experienced) IT team would set up users with admin/root privileges (there are exceptions to that but as a general rule).

Here's a couple of quotes from stackexchange on the subject; the whole discussion is worth reading if you're interested:

Local Admin access means that it is easier for the attacker to establish persistent control of the host, to install software and modify system settings, and to take actions like sniffing the network that may allow it to move laterally onto other systems.

So, yes, it is a danger to the network, in that it provides the attacker with more stable access to a more capable platform for lateral movement.

----------------------------------

Admin access means you can run certain privilege-requiring tools. Packet sniffers are one mentioned by other. Another example is an ARP-spoofer/poisoner for MitM attacks, or an mDNS/NBT-NS impersonator(e.g. Responder). Generally any tool which requires low-level network access, or the ability to open certain protected ports is more likely to require admin access.

Also, being a local admin vs a non-admin means you are going to be able to access certain things on that machine which could allow you to pivot to others, e.g. using mimikatz to dump stored AD passwords, access the full registry on Windows, install keyloggers cross-account(i.e. as a daemon/service), etc.

It's honestly night-and-day having admin access to not; it's the reason things like OSCP focus so heavily on learning privilege escalation, and not just gaining an initial foothold.
posted by underclocked at 6:52 AM on February 3 [10 favorites]

Is that really so unsecure?

So, I mean, yes. Basically, if you're using an unrestricted admin account all the time and you make a misstep (clicking the wrong link in an email, trusting the wrong installer), malicious software could introduce itself, and because it's running under an admin account (yours), it has the run of your device. This is one way intrusions begin. It could, for instance, start using your email client to send phishing messages to other folks in your institution under your name. If your account has more limited privileges, so does the malicious software.

Two hospitals in my area, Lurie Children's and Saint Anthony, have had ransomware incidents in the past two weeks. This sort of thing can be tremendously expensive--potentially millions of dollars--and tremendously disruptive. Lots of employers are looking at tightening up their cybersecurity practices.
posted by pullayup at 6:52 AM on February 3 [8 favorites]

Maybe the best way to think about it is if you imagine that with admin access, it's possible for someone to gain control of your computer and do all the same malicious things that they could do if you, like, let someone into your office and gave them all your passwords.

At my organization (a small software company, not a university, which means our IT department is willing and able to grant us more leeway), I get admin privileges on my computer but I am strongly encouraged to use a non-admin login for day-to-day work. So I have mskyle and mskyle-admin - for most of my work I use the mskyle login but when I want to install something or do updates, I need to either switch accounts or at a minimum re-enter the mskyle-admin password. No one from our IT department actually checks in on this, so I could use the admin account all the time if I wanted, but it's a good practice that I've actually extended to my home computer.
posted by mskyle at 6:56 AM on February 3 [2 favorites]

Sounds like this is all resolved, but just chiming in to add my voice to the chorus of "yes, it really is so insecure". It's absolutely this:

It's more that your account having admin privileges provides malware with a more effective springboard into the rest of the network, compared to a more restricted account.

posted by number9dream at 6:56 AM on February 3

I’m new to higher ed and my role is IT-adjacent and something I’ve realized is that higher ed institutions are a) continually under attack (at least public ones) because of the nature of both the visibility and lately, the cachet for taking down liberal institutions, b) sometimes under resourced in IT and c) can have very high-value information, including personal, financial, and research.

So basically this is my plea to be kind to your infosec team.

B) makes it so it doesn’t surprise me they are getting to this now. Someone probably did an audit.
posted by warriorqueen at 6:59 AM on February 3 [11 favorites]

I'm not in IT, though I have lightly followed discussions in this area over the last year, with the increase in attacks on higher ed, especially the University of Michigan attack. Something I've seen discussed is the Zero trust security model, which (because I am not in IT) I hadn't read about, but which does seem to account for various large and small policy changes I've read about at many institutions.
posted by cupcakeninja at 7:03 AM on February 3

I work at a university and people do unintended things all the time that create risk - mostly small risks, but occasionally very large ones. There is no such thing as "we trust YOU because you are tech-aware and therefore YOUR admin privileges will remain, while we take them away from James because James never met a link he wouldn't click", it always has to be a uniform policy.

Part of my job is department-level risk management (much less powerful than that sounds) and honestly, yes, every time we tighten up requirements, it is frustrating to people in general and it can legitimately interfere with business processes, at least until the new requirements get integrated into people's planning and calendars. It's not my favorite thing.

It also really does mean that a lot of very low-risk stuff around the edges gets forbidden and that is also frustrating for people, but again, it is virtually impossible to make exceptions in such a way that people won't make mistakes or impatient people won't work to game the system. People who don't think in terms of risk are always, always trying to sneak around the regulatory process - for understandable, relatable reasons, not bad reasons! - and the more relaxed you make it, the more you guarantee that someone is going to be in a hurry to complete an experiment or make a hire and then something goes wrong.
posted by Frowner at 7:03 AM on February 3 [5 favorites]

I would say that if not having admin permissions backs you into a corner where you can't do your work, that's a problem that your information services folks do need to address, and it's reasonable to run it up the chain of command until you get a reasonable answer.

There is definitely a thing that happens where the cybersecurity folks are like "lock everything down" but the desktop support department is never given tools to make that actually work for users. Like, if they think it's ok for you to use the same version of a particular frequently-updated software package for years on end without updates, or, worse, don't allow the software you need because it hasn't met some impossibly high cybersecurity vetting standard (or can't reasonably be expected to meet that standard, because it's freeware and the "vendor" can't demonstrate that they have $5MM of cybersecurity insurance, this has happened to me!), well, that is a real problem.
posted by pullayup at 7:11 AM on February 3 [6 favorites]

Giving me admin privs caused a National RedFace Incident in the mid 1990s. I had been given in charge of a mighty server to store copies of Genbank the DNA database, and software for accessing and analysing those sequences. My job was to make these resources available to Irish researchers.
Ireland was a poor country then and a net consumer of internet resources. It was source of interest and a little pride when a manager at the National Academic Network Hub noticed a large blip of out-going traffic - the country was at last providing the world with something useful. The Hub sent a congratulatory message to my Institution, who tracked the source of traffic to my server and asked "what gives?". I was baffled.
With a lot of help from local IT effectives it transpired that I'd set up an FTP-server to facilitate sharing of DNA data but set the privs to allow read and write access to all. An enterprising anarchist had uploaded some pirated Microsoft products and other tasty resources and let it be known that everyone could stick-it-to-the-man by downloading stuff from my server. I learned a lot on that job - mostly by making mistakes.
posted by BobTheScientist at 7:31 AM on February 3 [16 favorites]

I used to be a university IT manager. If you use Office, email, the web, and various MSoft utilities - paint, notepad, whatever, it it's a security problem for you to have full administrator rights, and for the administrator account to be available to you. This is easily remedied. If you use one or more of the many complex special purpose applications that many university folks do, you may need admin access occasionally, or your uni should make sure they can respond promptly and competently to requests when things are updated, new data sets are needed, whatever.

In my experience, uni staff and students will do lots of unwise things, exposing themselves and the uni to risk, or just breaking things (if you blacklist the uni domain, you won't get email from anybody there, you'll blame IT and be unpleasant; you will look stupid). You can get ransomware that will be v. expensive to remove, you can expose data (faculty member helpfully put his personal .mp3s in a public folder, could have been expensive DRM fines). Word docs can and do contain executable malicious code.

It sounds like the letter was poorly written, may have some overreach, used scare tactics, and was not clear, but states a legitimate need. Lots of people in IT can barely construct a sentence, and often expose their incivility. You probably need a new laptop anyway, or at least more RAM. See if there's a reasonable way to comply without losing all your privileges and maybe keep that one game you really like for stress relief.
posted by theora55 at 8:30 AM on February 3 [2 favorites]

To address your point of "if I bought my own pc" - this is actually best practice for your own pc as well. I don't mean that you shouldn't have admin privileges at all, but that you should have two separate accounts, only one of which has admin privileges, and the other one is for daily use. (Windows makes this pretty easy - even while logged into one account, you can run applications as a different user and any applications you try to install will ask for the admin password.)

(This is the same approach mskyle described, only applied to a pc that you own.)
posted by demi-octopus at 8:52 AM on February 3 [6 favorites]

My experience with my university IT at a private university (as a faculty member) is that they are pretty reasonable, not overly focused on blanket policies, and will grant admin access -- but they do want to hear legitimate reasons for pushing back against their policies. (I'm not actually sure if they even won't grant it by default here, though in my position as tenured faculty I may see their less draconian side.) They are definitely concerned about malware/ransomware, but I actually think an overriding concern in the US is the FERPA law (and if relevant, which it likely is if there's a med school, HIPAA). There's various forms of mitigation they can do that aren't denying admin rights (e.g. my work laptop is a managed device with an encrypted disk that can be remotely wiped, but I have a local admin account, and our IT have focused quite a bit on email/phishing resistance, as well as enterprise login security). So I do think there's potentially room to try to push back if you do need admin access, and your school is anything like mine (ymmv...)

It's also kind of odd that they realized it now after six years

At my institution, even 6 years ago, things were drastically different with respect to device security. I don't even think they required managed devices then; around then and earlier I could walk into the campus store with a budget number and just take away a boxed computer if I wanted. Things have changed very rapidly, both in the security landscape, and the regulatory landscape. From what I understand, a turning point for us was when an unsecured/non-managed laptop with a really unfortunate amount of FERPA-protected info, owned iirc by a registrar staff member, was lost... The scale and relative sophistication of the phishing attacks we experience has also noticeably changed even within 6 years.
posted by advil at 9:20 AM on February 3 [4 favorites]

It's actually good that your school IT team is on top of the situation and wants to take preventative action. A lot of school IT teams are manned by volunteers and students and infosec is relatively low priority. However, with prevalence of phishing kits and even "malware as a service" widely available to bad actors, EVERY institution is finding out that being unprepared for cyberthreats is counterproductive. It takes just one connected PC (local or remote) to infect the network, and modern ransomware does not discriminate.
posted by kschang at 11:08 AM on February 3 [3 favorites]

To give you some perspective on just how tight IT security can and should be in some instances, I work for US Bank and, as a bank, our IT security is...tight.

I don't have admin rights on my workstation and there are precious few settings that I can change other than cosmetics. Only bank provided computers can attempt to connect to the network (MAC addresses are white listed) and it has to be either physically connected which just requires the user's username and password (and the password requirements are fairly extensive) or via the VPN which requires the logon and a token (typically with a US Bank specific phone app).

I can only install whitelisted programs on my workstation and I can only get those applications from the internal bank repository. Every piece of data on every workstation is routinely scanned for personal customer information and other sensitive information that could be a problem and systems are in place to notify those users and require them to take appropriate action. Or owners of SharePoint sites that might have improperly stored data. If I do need to store that kind of sensitive information (and my team has to retain a lot of testing data for compliance and audit purposes) I have to have a special secured remote enclave or a special SharePoint site with heavy restrictions on it's access (especially downloading data).

To me, this is how it should be for any large organization where information security is important. Even then, risk is never zero.

On a long enough time scale, your/every organization will be compromised, all you can do it try to delay that as long as possible.

It's similar how home security is really about making your house a less tempting target than others in the area because there is no way to make it truly secure. You can only mitigate risk, not eliminate it.

PS: I work in one of many risk management departments.
posted by VTX at 4:13 PM on February 3 [5 favorites]

I've worked in countless banking/healthcare environments as a web development consultant, and security is extremely tight - only whitelisted programs from internal software repos, no admin rights, etc. Usually works a lot better as a virtual desktop session on a more-permissive host computer, since that kind of setup allows for a lot of flexibility in how the virtual desktops are deployed without compromising the permissions of the computers that are allowed to connect directly to sensitive resources. In any event, the main problem with this kind of thing is that the software world evolves fast & IT departments don't want to give themselves any more work than they have to, which means newer apps/packages usually don't get whitelisted & struggles emerge. (This particularly applies to node packages lately, where larger IT orgs require that even individual node_modules are whitelisted and provisioned only from an internally-managed package server, and fairly modern modules with broad dependencies can be left out of this kind of setup quite easily)

For everything I've seen with lax network security, tight-control is the only sane starting point for IT departments. Organizations usually make the most mistakes handing out too-permissive client computers, because no end-user is perfect and you're always one mistake away from a gigantic IT mess. All the same, companies have to be a little versatile in deploying resources when there is a sensitive central intranet. Maybe not everything needs to live on that intranet. Maybe you should allow marketing/content vendors to do their thing on cloud servers since probably nobody needs access your customer files to do that. Maybe you should prioritize whitelisting new versions of Chrome instead of fighting with your whole company about only supporting IE mode in Edge (or, worse, requiring everyone use EOL software to access web resources that haven't been updated in 2 decades).
posted by brianvan at 7:11 AM on February 4 [2 favorites]

Wanted to emphasize the importance of "Zero Trust" as mentioned above. There has been a sea change in the way security architecture is conceptualized. The old way considered the organization's computers as "good guys", and the firewall separated you from the "bad guys" in the outside world. For the 1990s, that was a reasonable model for threats that were typical at the time.

In the 2020s, several things have happened. One, computers are now integrated into almost everything that is done at an organization, so security vulnerabilities hold more at risk. Two, ransomware gangs, some of them state-sponsored, have completely shut down some major entities for extended periods of time, so the consequences of an intrusion are higher. Three, on modern operating systems giving an ordinary user account administrative privileges is not usually needed. A consequence of this is that all computers in an organization are treated as potential risks. The increasingly misname "firewall" is designed to protect not just a single network interface but connections within the organization. So finally we come to your computer, which is now regarded as both an attack surface and vector for launching further attacks. You haven't changed, but the security model is quite different.
posted by wnissen at 11:05 AM on February 5