Administrative Privileges

In general, all software and hardware installation requests must be made to the computer group through a ServiceRequest. As the computer group is extremely busy, these requests must be made as far in advance as possible. This requires careful planning to avoid unnecessary delays for new computers, users, or projects. Allowing unrestricted administrative privileges is something that, in good conscience, we cannot do.

The problem is that doing so also makes it trivially easy for computer viruses to take over a computer and use it for whatever the author of that virus wants to do. Recovering from such infections can be extremely lengthy and much more costly to the research program than a delay in getting started. See below.

What we can do is install a program which allows specific individuals to use administrative privileges to do specific tasks. It does not satisfy all administrative needs. Many operations would still require intervention by a computer group member.

Modern Web-based viruses are acquired simply by viewing the wrong Web page. They take advantage of features which are designed into Web browsers which allow them to run programs. Even up-to-date anti-virus programs don't recognize the newest viruses. We had to clean up a system just this past week which was infected in this way. (A user's laptop was recently infected when he viewed what was purported to be a review of the new Green Lantern movie. Fortunately, he did not have administrative privileges.) Macs are just as vulnerable as Windows computers to these kinds of attacks.

There are other viruses, known as trojan horses, which claim to do something highly desirable, easily persuading people to download and install them, but which instead do something extremely inappropriate. (e.g. supposedly having to download and install an up-to-date version of Flash in order to watch a training video.)

Modern computer viruses are especially pernicious. They're used to support many different illegal activities, including transmitting spam, denial-of-service attacks on other computers, stealing personal information for identity theft or stealing money from bank accounts and credit cards, and providing storage and transmission of child pornography, to list just a few.

When such a virus infects an account which does not have administrative privileges, it usually infects only that individual's files. Sometimes we've been able to clean up such a system in as little as half a day of our time (as was the case with the "Green Lantern" infection described above). More often it takes a couple of days. Of course, the computer is unavailable for use while it's being cleaned.

If they have administrative privileges, modern viruses have many ways to hide so that the system superficially looks normal, but just seems to be a bit sluggish. Sometimes the only way they can be detected is by the network traffic that they generate. They do not show up when using the built-in system monitoring software (e.g. Task Manager under Windows). Cornell's IT security office has a system which monitors Cornell's outbound network traffic looking for signs of such infections. They cannot monitor internal traffic that way, so some infections spread quite widely before they're caught.

When such a virus infects a system by way of an account with administrative privileges, we have no recourse but to entirely wipe the system and reinstall all of its software from scratch from known, clean sources. (Fortunately, we have not had this happen at LEPP for a long time. Unfortunately, this is almost a daily occurence somewhere on campus, although it happens much less often than it used to.)

This cleanup will make the system unavailable for several days, sometimes a week or more, depending on what specialized software has to be reinstalled. Any data on that system will have been lost, setting back the research program substantially.

In addition to these technical issues, there are several painful administrative ones.

Whenever a computer is compromised by a virus or otherwise, whether or not it was by way of an account with administrative privileges, we are required to report it to the Research Division's Security Liaison and to the campus IT security office. (The NSF also requires us to keep a log of all security incidents.) If there is the slightest possibility that the computer might have had access to confidential information, there is a very lengthy and expensive procedure which must be followed by us and by them to determine if and how much confidential data was exposed. (Fortunately, we did not have to follow this procedure with the "Green Lantern" infection, since the computer had been recently scanned using Identity Finder, and the user does not work with confidential data. We only had to report the incident.)

And, of course, because of all these issues, Cornell policy 5.10 strongly discourages the use of unrestricted computer administrative privileges.

I hope this clarifies things a little and explains why we have to be so careful.
Topic revision: r3 - 22 Jun 2011, seb
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding CLASSE Wiki? Send feedback