End User Admin Rights in Higher Ed: (Still) Securing the Keys

Authors:: Bryan Lewis and Eric Rzeszut
Published:: Tuesday, October 18, 2022
Columns:: Cybersecurity and Privacy

min read

The landscape of admin rights across academia looks much the same today as it did five years ago. While many institutions still grant admin rights to all employees, no questions asked, others are looking to strengthen their policies.

Gold lock surrounded by many silver keys and one gold key — *Credit: tostphoto / Shutterstock.com © 2022*

"The more things change, the more they stay the same." —Jean-Baptiste Alphonse Karr, 1849

In 2017, we surveyed higher education IT professionals via the EDUCAUSE user support email list to evaluate the provision of end user admin rights at higher education institutions. In our 2018 analysis of the survey results, we looked at the landscape of admin rights across academia, explained some of the dangers of widespread admin rights assignment, and provided some data on one possible solution. We found that automatic admin rights assignment was distressingly common in higher education and that many IT staff members felt that faculty and staff at their institution would respond negatively to the removal of those rights.^Footnote1

Nearly five years have passed since our 2017 survey, so we decided to take a fresh look at the issue. We surveyed members of the EDUCAUSE IT Support Services Community Group, which includes college and university personnel with expert knowledge of help desk management and IT support services. The data revealed a few surprises. Perhaps the most unexpected result is that many institutions still grant admin rights to all employees, no questions asked. We also found that more institutions are looking to strengthen their policies on this issue in 2022 than in 2017, and more institutions are using unique and non-standard approaches to providing end user computer admin rights compared to what we found in 2017.

2022 Administrative Rights Survey

Members of the EDUCAUSE IT Support Services Community Group were surveyed via Qualtrics over a four-week period in June 2022. Fifty-nine technology professionals responded. Here is how the data between the 2017 and 2022 surveys compare.

Approaches to Admin Rights Policies

In 2017 and 2022, nearly 30 percent of institutions automatically granted admin rights to employees; however, the percentage of institutions doing "something else" increased notably (see figure 1).

Bar graph showing both 2022 and 2017 responses to: How do you provide local computer admin rights to the faculty and staff whom you support? All faculty/staff get ad min rights: 2022 28%; 2017 27%. All faculty get admin rights: 2022 3%; 2017 4%. All staff get admin rights: 2017 4%. IT staff only have admin rights: 2022 10%; 2017 11%. Faculty/staff can apply for admin rights: 2022 16%; 2017 23%. Faculty/staff have a secondary admin account: 2022 8%; 2017 9%. Other: 2022 36%; 2017 25%. — **Figure 1. Institutional Admin Rights Policy**

The non-standard or "other" solutions include the following:

"Faculty and staff that have laptops have a secondary local admin account that is not a primary account. Desktops do not have admin rights."
"IT staff have admin rights. Other faculty and staff are not automatically granted admin rights, but rights are given as they request them."
"We are working toward no one automatically having admin rights. Users may request installation help or temporary admin rights for reviewed software installs. On occasion, users may apply for persistent admin access."
"We use a Privilege Access Management tool to provide elevation for applications and installs, so we do not have to grant local admin for faculty and staff. There are some scenarios where this has not been effective, so we have a request process that must be justified and approved for granting local admin."

We were encouraged to learn that the number of institutions planning a stricter admin rights policy increased. Surprisingly, however, so did the number of institutions planning a weaker set of policies (see figure 2).

Bar graph showing both 2022 and 2017 responses to: In the next year, is your School / Department / Unit planning a change in how faculty/staff administrative rights for local computers are assigned? Yes, to a stricter policy: 2022 30%; 2017 19%. Yes, to a more lenient policy: 2022 7%; 2017 2%. No changes are planned: 2022 62%; 2017 79%. — **Figure 2. Planned Changes to Administrative Rights Assignments**

Reactions to Stricter Admin Rights Policies

In a theme that continued from 2017, many IT administrators still believe that their users will not relinquish administrative rights without a struggle. The 2022 data shows that this is believed to be a larger concern for faculty members, followed by staff members outside the IT organization, mirroring the 2017 data. IT staffers are generally viewed as the ones who would accommodate a strengthening of admin rights policies.

Overall, respondents remain concerned that faculty will respond negatively to stronger admin rights policies; this concern increased from 2017 to 2022 (see figure 3a). Similarly, respondents expressed increased concerns that staff would respond negatively to stronger admin rights policies (see figure 3b). In 2017 and 2022, IT staff members recognized the need for stronger admin rights policies (see figure 3c).

Bar graph showing both 2022 and 2017 responses to: Please rate how you think your FACULTY would react to a stricter policy on admin rights assignment. Strongly agree: 2022 0%; 2017 0%. Agree: 2022 0%; 2017 5%. Somewhat agree: 2022 7%; 2017 5%. Neither agree nor disagree: 2022 12%; 2017 5%. Somewhat disagree: 2022 18%; 2017 35%. Disagree: 2022 35%; 2017 35%. Strongly disagree: 2022 29%; 2017 15%. — **Figure 3a: Predicted Faculty Reaction to a Stricter Admin Rights Policy**

Bar graph showing both 2022 and 2017 responses to: Please rate how you think your STAFF would react to a stricter policy on admin rights assignment. Strongly agree: 2022 0%; 2017 0%. Agree: 2022 12%; 2017 10%. Somewhat agree: 2022 6%; 2017 10%. Neither agree nor disagree: 2022 29%; 2017 30%. Somewhat disagree: 2022 12%; 2017 45%. Disagree: 2022 41%; 2017 5%. Strongly disagree: 2022 0%; 2017 0%. — **Figure 3b: Predicted Staff Reaction to a Stricter Admin Rights Policy**

Bar graph showing both 2022 and 2017 responses to: Please rate how YOU would feel about a stricter policy on ad min rights assignment. Strongly agree: 2022 41%; 2017 25%. Agree: 2022 24%; 2017 50%. Somewhat agree: 2022 24%; 2017 15%. Neither agree nor disagree: 2022 5%; 2017 10%. Somewhat disagree: 2022 7%; 2017 0%. Disagree: 2022 0%; 2017 0%. Strongly disagree: 2022 0%; 2017 0%. — **Figure 3c: IT Staff Reaction to a Stricter Admin Rights Policy**

Solutions for Securing Admin Rights

In our 2018 article, we identified an open-source Windows application called Make Me Admin as one potential way to improve security while respecting the needs of faculty and staff. Make Me Admin provides temporary, logged administrative elevation to end users so they can perform software installations or other necessary operations on their computers.^Footnote2

Many respondents to the 2022 survey said they use Make Me Admin to provide admin rights to faculty and staff as needed.

"Admin rights [are provided] on demand for faculty and staff via Make Me Admin, but no justification is required. IT technicians are added automatically upon login via MMA."
"Faculty and staff use non-admin accounts. If they need admin rights, they can self-elevate with either Make Me Admin on a Windows computer or Privileges on a macOS computer."
"It varies as we are quite decentralized. For the centrally managed devices, faculty/staff generally have local admin privileges on laptops but not on desktops. This is changing, however, as we test the Make Me Admin tool and roll it out."
"We have them request admin rights, and if approved, Make Me Admin is installed on their computer and scoped specifically to their account."
"We utilize a tool called Make Me Admin, which allows faculty/staff who belong to a specific AD group to temporarily grant themselves admin access. These elevations get logged to a Syslog server as well."

McIntire School of Commerce Security Tools

Make Me Admin is still used by the McIntire School of Commerce and has proven to be a beneficial tool for faculty and staff. Use of the software has increased slightly in the past five years, driven partially by the pandemic and the shift to more fully remote and hybrid work (see figure 4). Make Me Admin is now installed on 294 Windows workstations at McIntire. In addition, the McIntire help desk often uses remote support tools like BeyondTrust to support users when they are off campus. Asking end users to elevate their permissions is often necessary during these remote sessions.

McIntire's help desk manager Rico Vigliotti says, "Make Me Admin is an important addition to our toolbox. We often need users to elevate their permissions when we are remotely diagnosing and fixing a problem, and Make Me Admin gives us a quick and easy way to do so."^Footnote3

Bar graph showing both 2022 and 2017 responses to: McIntire Temporary Elevation Usage, Spring 2022 vs Fall 2017. Never used: 2022 58%; 2017 81%. Used once: 2022 35%; 2017 12%. Used more than once: 2022 9%; 2017 8%. — **Figure 4. McIntire School of Commerce Make Me Admin Usage Comparison**

In addition to Make Me Admin, McIntire has invested in other management tools required by our central IT organization's strengthened security policies. Most notably, the Microsoft Local Administrator Password Solution (LAPS) was deployed to ensure unique local administrator passwords for domain joined machines. This tool was deployed as the direct result of security recommendations from an IT audit conducted in 2020.

Conclusion

Overall, the landscape of admin rights assignment in higher education has not changed dramatically since 2017. The threats we identified in our 2018 article remain prevalent, and academic institutions remain a target. In its 2022 survey of IT professionals at mid-sized organizations across thirty-one countries (including respondents from the higher education sector), Sophos found that attacks against higher education institutions have increased in the past year.^Footnote4 Although the attack rate in the higher education sector is lower than in the corporate sector, the success rate is higher! This is partially attributable to the often-lax end user admin rights policies described in this article.

As we noted in 2018, the issues associated with assigning admin privileges to end users at higher education institutions are cultural rather than technological. There are tools designed to address these issues; however, faculty and staff may be resistant to adopting these changes. Leadership support is needed to encourage implementation. A technological solution is not enough. There must be an associated policy change.

We'll close with the same reminder we gave readers in 2018: IT security is everyone's responsibility.

Notes

Bryan Lewis and Eric Rzeszut, "Reclaiming the Keys to the Kingdom: Examining End-User Administrator Rights in Higher Education," EDUCAUSE Review, February 12, 2018. Jump back to footnote 1 in the text.
For more information about Make Me Admin, see Bryan Lewis, Eric Rzeszut, and Patrick Seymour, "Reclaiming the Keys to the Kingdom: Higher Ed Admin Rights," (presentation, EDUCAUSE Security Professionals Conference 2019: Chicago, IL, May 15, 2019). Jump back to footnote 2 in the text.
Rico Vigliotti, email message to Eric Rzeszut, September 19, 2022. Jump back to footnote 3 in the text.
The State of Ransomware in Education 2022, white paper, (Abingdon, UK: Sophos, July 2022). Jump back to footnote 4 in the text.

Bryan Lewis is Assistant Dean for Technology and Operations at the McIntire School of Commerce, University of Virginia.

Eric Rzeszut is Director of IT Operations at the McIntire School of Commerce, University of Virginia.

ParentTopics:: Access Control Identity and Access Management IT Professional Services IT Support Services Security Management Security Risk Management