A surprising number of colleges and universities continue to give staff and faculty members administrative privileges on their computer networks, despite the obvious security risks.
A survey of 59 members of the Educause IT Support Services Community Group, published last week, looked into how colleges’ approach to admin policies have changed in recent years and found relatively little progress.
In 2017, about 30% of all respondents said their institutions automatically granted admin privileges to all employees, with no questions asked. This remained unchanged in 2022, though more institutions are now moving towards systems where permissions for non-IT staff and faculty are only granted on request.
The 2022 survey found that 30% of respondents plan to adopt stricter policies on administrative privileges for non-IT staff and faculty members, compared with less than 20% in 2017. But the results also indicated increasing concern among administrators that their higher ed colleagues, particularly faculty, will not react well to having access restricted.
“In a theme that continued from 2017, many IT administrators still believe that their users will not relinquish administrative rights without a struggle,” said the survey report, authored by Eric Rzeszut, director of IT operations at the University of Virginia’s McIntire School of Commerce, and Bryan Lewis, McIntire’s assistant dean for technology and operations.
Lewis and Rzeszut wrote that McIntire has over the past five years increased its use of access management and password security tools such as Microsoft’s Local Administrator Password Solution and the open-source Windows application Make Me Admin.
Data security failures in higher education can often be linked to lax end-user admin rights, and these can be addressed with simple changes, the report said.
“The issues associated with assigning admin privileges to end users at higher education institutions are cultural rather than technological,” the report read. “Leadership support is needed to encourage implementation. A technological solution is not enough. There must be an associated policy change.”