Administrative Privileges
In general, all software and hardware installation requests must be made to the computer group through a
ServiceRequest. As the computer group is extremely busy, these requests must be made as far in advance as possible. This requires careful planning to avoid unnecessary delays for new computers, users, or projects. Allowing unrestricted administrative privileges is something that, in good conscience, we cannot do.
The problem is that doing so also makes it trivially easy for computer
viruses to take over a computer and use it for whatever the author of
that virus wants to do. Recovering from such infections can be
extremely lengthy and much more costly to the research program than
a delay in getting started. See below.
What we can do is install a program which allows specific individuals
to use administrative privileges to do specific tasks. It does
not
satisfy all administrative needs. Many operations would still
require intervention by a computer group member.
Modern Web-based viruses are acquired simply by viewing the wrong Web
page. They take advantage of features which are designed into Web
browsers which allow them to run programs. Even up-to-date anti-virus
programs don't recognize the newest viruses. We had to clean up a
system just this past week which was infected in this way. (A user's laptop was recently infected when he viewed what was purported to be
a review of the new Green Lantern movie. Fortunately, he did
not
have administrative privileges.) Macs are just as vulnerable as
Windows computers to these kinds of attacks.
There are other viruses, known as trojan horses, which claim to do
something highly desirable, easily persuading people to download and
install them, but which instead do something extremely inappropriate.
(e.g. supposedly having to download and install an up-to-date version
of Flash in order to watch a training video.)
Modern computer viruses are especially pernicious. They're used to
support many different illegal activities, including transmitting
spam, denial-of-service attacks on other computers, stealing personal
information for identity theft or stealing money from bank accounts and credit cards, and providing storage and transmission
of child pornography, to list just a few.
When such a virus infects an account which does not have
administrative privileges, it usually infects only that individual's
files. Sometimes we've been able to clean up such a system in as
little as half a day of our time (as was the case with the "Green Lantern"
infection described above). More often it takes a couple of days. Of course, the
computer is unavailable for use while it's being cleaned.
If they have administrative privileges, modern viruses have many ways
to hide so that the system superficially looks normal, but just seems
to be a bit sluggish. Sometimes the only way they can be detected is
by the network traffic that they generate. They do
not show up when
using the built-in system monitoring software (e.g. Task Manager under
Windows). Cornell's IT security office has a system which monitors
Cornell's outbound network traffic looking for signs of such
infections. They cannot monitor internal traffic that way, so some
infections spread quite widely before they're caught.
When such a virus infects a system by way of an account with
administrative privileges, we have no recourse but to entirely wipe
the system and reinstall all of its software from scratch from known,
clean sources. (Fortunately, we have not had this happen at LEPP for a
long time. Unfortunately, this is almost a daily occurence somewhere
on campus, although it happens much less often than it used to.)
This cleanup will make the system unavailable for several days,
sometimes a week or more, depending on what specialized software has
to be reinstalled. Any data on that system will have been lost,
setting back the research program substantially.
In addition to these technical issues, there are several painful
administrative ones.
Whenever a computer is compromised by a virus or otherwise, whether or
not it was by way of an account with administrative privileges, we are
required to report it to the Research Division's Security Liaison and
to the campus IT security office. (The NSF also requires us to keep a
log of all security incidents.) If there is the slightest possibility
that the computer might have had access to confidential information,
there is a very lengthy and expensive procedure which must be followed
by us and by them to determine if and how much confidential data was
exposed. (Fortunately, we did not have to follow this procedure with
the "Green Lantern" infection, since the computer had been recently scanned
using Identity Finder, and the user does not work with confidential data. We only had to report
the incident.)
And, of course, because of all these issues, Cornell policy 5.10
strongly discourages the use of unrestricted computer administrative
privileges.
I hope this clarifies things a little and explains why we have to be
so careful.