The landscape of admin rights across academia looks much the same today as it did five years ago. While many institutions still grant admin rights to all employees, no questions asked, others are looking to strengthen their policies.
"The more things change, the more they stay the same." —Jean-Baptiste Alphonse Karr, 1849
In 2017, we surveyed higher education IT professionals via the EDUCAUSE user support email list to evaluate the provision of end user admin rights at higher education institutions. In our 2018 analysis of the survey results, we looked at the landscape of admin rights across academia, explained some of the dangers of widespread admin rights assignment, and provided some data on one possible solution. We found that automatic admin rights assignment was distressingly common in higher education and that many IT staff members felt that faculty and staff at their institution would respond negatively to the removal of those rights.Footnote1
Nearly five years have passed since our 2017 survey, so we decided to take a fresh look at the issue. We surveyed members of the EDUCAUSE IT Support Services Community Group, which includes college and university personnel with expert knowledge of help desk management and IT support services. The data revealed a few surprises. Perhaps the most unexpected result is that many institutions still grant admin rights to all employees, no questions asked. We also found that more institutions are looking to strengthen their policies on this issue in 2022 than in 2017, and more institutions are using unique and non-standard approaches to providing end user computer admin rights compared to what we found in 2017.
2022 Administrative Rights Survey
Members of the EDUCAUSE IT Support Services Community Group were surveyed via Qualtrics over a four-week period in June 2022. Fifty-nine technology professionals responded. Here is how the data between the 2017 and 2022 surveys compare.
Approaches to Admin Rights Policies
In 2017 and 2022, nearly 30 percent of institutions automatically granted admin rights to employees; however, the percentage of institutions doing "something else" increased notably (see figure 1).
The non-standard or "other" solutions include the following:
- "Faculty and staff that have laptops have a secondary local admin account that is not a primary account. Desktops do not have admin rights."
- "IT staff have admin rights. Other faculty and staff are not automatically granted admin rights, but rights are given as they request them."
- "We are working toward no one automatically having admin rights. Users may request installation help or temporary admin rights for reviewed software installs. On occasion, users may apply for persistent admin access."
- "We use a Privilege Access Management tool to provide elevation for applications and installs, so we do not have to grant local admin for faculty and staff. There are some scenarios where this has not been effective, so we have a request process that must be justified and approved for granting local admin."
We were encouraged to learn that the number of institutions planning a stricter admin rights policy increased. Surprisingly, however, so did the number of institutions planning a weaker set of policies (see figure 2).
Reactions to Stricter Admin Rights Policies
In a theme that continued from 2017, many IT administrators still believe that their users will not relinquish administrative rights without a struggle. The 2022 data shows that this is believed to be a larger concern for faculty members, followed by staff members outside the IT organization, mirroring the 2017 data. IT staffers are generally viewed as the ones who would accommodate a strengthening of admin rights policies.
Overall, respondents remain concerned that faculty will respond negatively to stronger admin rights policies; this concern increased from 2017 to 2022 (see figure 3a). Similarly, respondents expressed increased concerns that staff would respond negatively to stronger admin rights policies (see figure 3b). In 2017 and 2022, IT staff members recognized the need for stronger admin rights policies (see figure 3c).
Solutions for Securing Admin Rights
In our 2018 article, we identified an open-source Windows application called Make Me Admin as one potential way to improve security while respecting the needs of faculty and staff. Make Me Admin provides temporary, logged administrative elevation to end users so they can perform software installations or other necessary operations on their computers.Footnote2
Many respondents to the 2022 survey said they use Make Me Admin to provide admin rights to faculty and staff as needed.
- "Admin rights [are provided] on demand for faculty and staff via Make Me Admin, but no justification is required. IT technicians are added automatically upon login via MMA."
- "Faculty and staff use non-admin accounts. If they need admin rights, they can self-elevate with either Make Me Admin on a Windows computer or Privileges on a macOS computer."
- "It varies as we are quite decentralized. For the centrally managed devices, faculty/staff generally have local admin privileges on laptops but not on desktops. This is changing, however, as we test the Make Me Admin tool and roll it out."
- "We have them request admin rights, and if approved, Make Me Admin is installed on their computer and scoped specifically to their account."
- "We utilize a tool called Make Me Admin, which allows faculty/staff who belong to a specific AD group to temporarily grant themselves admin access. These elevations get logged to a Syslog server as well."
McIntire School of Commerce Security Tools
Make Me Admin is still used by the McIntire School of Commerce and has proven to be a beneficial tool for faculty and staff. Use of the software has increased slightly in the past five years, driven partially by the pandemic and the shift to more fully remote and hybrid work (see figure 4). Make Me Admin is now installed on 294 Windows workstations at McIntire. In addition, the McIntire help desk often uses remote support tools like BeyondTrust to support users when they are off campus. Asking end users to elevate their permissions is often necessary during these remote sessions.
McIntire's help desk manager Rico Vigliotti says, "Make Me Admin is an important addition to our toolbox. We often need users to elevate their permissions when we are remotely diagnosing and fixing a problem, and Make Me Admin gives us a quick and easy way to do so."Footnote3
In addition to Make Me Admin, McIntire has invested in other management tools required by our central IT organization's strengthened security policies. Most notably, the Microsoft Local Administrator Password Solution (LAPS) was deployed to ensure unique local administrator passwords for domain joined machines. This tool was deployed as the direct result of security recommendations from an IT audit conducted in 2020.
Conclusion
Overall, the landscape of admin rights assignment in higher education has not changed dramatically since 2017. The threats we identified in our 2018 article remain prevalent, and academic institutions remain a target. In its 2022 survey of IT professionals at mid-sized organizations across thirty-one countries (including respondents from the higher education sector), Sophos found that attacks against higher education institutions have increased in the past year.Footnote4 Although the attack rate in the higher education sector is lower than in the corporate sector, the success rate is higher! This is partially attributable to the often-lax end user admin rights policies described in this article.
As we noted in 2018, the issues associated with assigning admin privileges to end users at higher education institutions are cultural rather than technological. There are tools designed to address these issues; however, faculty and staff may be resistant to adopting these changes. Leadership support is needed to encourage implementation. A technological solution is not enough. There must be an associated policy change.
We'll close with the same reminder we gave readers in 2018: IT security is everyone's responsibility.
Notes
- Bryan Lewis and Eric Rzeszut, "Reclaiming the Keys to the Kingdom: Examining End-User Administrator Rights in Higher Education," EDUCAUSE Review, February 12, 2018. Jump back to footnote 1 in the text.
- For more information about Make Me Admin, see Bryan Lewis, Eric Rzeszut, and Patrick Seymour, "Reclaiming the Keys to the Kingdom: Higher Ed Admin Rights," (presentation, EDUCAUSE Security Professionals Conference 2019: Chicago, IL, May 15, 2019). Jump back to footnote 2 in the text.
- Rico Vigliotti, email message to Eric Rzeszut, September 19, 2022. Jump back to footnote 3 in the text.
- The State of Ransomware in Education 2022, white paper, (Abingdon, UK: Sophos, July 2022). Jump back to footnote 4 in the text.
Bryan Lewis is Assistant Dean for Technology and Operations at the McIntire School of Commerce, University of Virginia.
Eric Rzeszut is Director of IT Operations at the McIntire School of Commerce, University of Virginia.
© 2022 Bryan Lewis and Eric Rzeszut. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.