Client Use Administrative Rights Policy (Faculty)
About This Policy
Maintaining the highest level of security for our campus computing environment and University data is a responsibility shared by the campus community. This policy establishes a baseline of client requirements towards achieving a secure environment.
The default privilege distributed with all University purchased computing equipment is “standard” client privileges. The standard client privileges allow users to utilize the applications installed and are provided along with their equipment. This includes the ability to work on documents (create, modify and save) on their computer, print and access SaaS-based applications, such as Workday, Peoplesoft and Nest. The standard level of user privileges does not allow users to:
- Install software that has not been distributed via the Division of Information Technology or your local technology team
- Make changes to the operating system
- Perform upgrades to applications
- Installation of specific hardware devices
Maintaining the integrity of these systems falls to your supporting group by the creation of a standard computer image that is distributed to both the Mac and Windows platforms. These standard computer images are secured utilizing applications that will allow us to push out updates and configuration changes remotely.
We also require all users to follow the several policies regarding computing including the Policy on Responsible Use of Computing and Data Classification and Handling Policy.
Requesting Elevated Privileges:
Requests for elevated privileges are considered based on an approved business justification submitted to the Division of Information Technology or your local technology team. The appropriate support team will work with the user to identify alternative ways to allow a user to achieve their needs without granting them elevated privileges. This may include providing options for self-service software installations delivered via the IT managed software environment.
If an exception for escalated privileges is determined to be necessary, elevated privileges will be provided to the user via the setup of a separate privileged account using IT’s standard naming convention. (i.e. <NetID>_prv).
In order for elevated privileges to be granted the user must:
- Complete a security awareness training course (Securing the Human)
- Ensure that the applications/hardware/accessories being installed are from a legitimate website (ex. Microsoft Office should be downloaded from Microsoft.com) and are for the sole purpose of conducting University-related business.
- Ensure that any changes to operating systems or browsers are approved.
- Utilize the privileged account only when performing tasks that require an elevation of privileges, such as when a software installation requires it.
- Consistently maintain and secure a backup of data.
Note: Users should never use the privileged account to log in to the client for day-to-day computer tasks such as browsing websites, using social media, checking email, working with documents, spreadsheets and database, which are vectors for transmitting malware. Contracting malware while using a privileged account, grants administrative control over the computer to the malware.
A user granted elevated privileges must not:
- Disable other administrative accounts
- Modify or disable any configured services (firewall, antivirus, etc.) or security configurations (i.e. not use a privileged account to manage parental controls)
- Unjoin the machine from the Active Directory (AD) domain
To request an exception to standard access, the user must complete the Request for a Privileged Account – Faculty Only form which includes an area for stating the reason for the request. This form will be emailed into ServiceNow (SNOW), our Incident Management system. You will be contacted via the Associate Director of IT Support Services or your local technology team Director who will then review the request in an effort to determine if it is deemed necessary.
- Your manager will be contacted for additional approval.
- If you are approved for a privileged account, you will be contacted by the Service Desk with further information once the request has been provisioned.
- If you are not approved then your incident will be marked as resolved and you will receive a notification via ServiceNow (SNOW).
General Guidelines and Loss of Privileges
- The Division of Information Technology or your local technology support team reserves the right to suspend the privileged account if any condition is violated.
- Clients acknowledge that compromised operating systems might require re-installation, potentially resulting in partial or total loss of files.
- Privileged accounts are not provided in perpetuity. They will be reviewed periodically or when you are provided with a new leased machine.