SEC-S011 Computer Administrative Rights Standard

1.         Objective

Austin Peay State University defines the access rights granted to university assigned office and lab computers as standard user rights and establishes within this document a process to grant and manage administrator user rights in special cases that require it. 

2.         Scope

All Austin Peay State University office and lab computers are configured with standard user rights granted to university employees and students using those computers. A process to obtain administrative rights is described within this document. 

3.         Compliance

Austin Peay State University faculty and staff must comply with this document.  Questions, concerns, or suspicion of non-compliance are to be reported to the Director of Information Technology Security. This document does not apply to Information Technology staff who are covered under a different standard.

4.         Definitions

Administrator User rights – This privilege level grants complete administrative access to the computer, including the ability to install hardware or software, manage local user accounts, edit the registry, and alter any system-level files or settings. This is the least secure and stable level of access for a computer and is limited as a result. 

Least User Privilege – A standard cybersecurity principle and best-practice that enhances the protection of data and system functionality from accidental exposure and/or exploits and malicious behavior by giving a user account only those privileges which are essential to that user’s work. The concept also requires that users, even those who have been granted administrator privileges, login normally with only standard user privileges to make it more difficult for malicious actors to take control of or impact computing resources and data.

Privileged Access Management (PAM) tool– a tool installed on university computers that allows for the temporary granting of Administrator User Rights. This tool authorizes users to do typical admin tasks such as add printers or install digitally signed programs. Privileges can be increased further within the tool if additional access is required upon request and approval by ticket.

Privileged Account– A second domain account provided to APSU employees who have requested and been approved for Administrative User Rights on student use computers as part of their job requirements.  This account will be the requester’s username appended with -sa (ex: SmithJ-sa) and will be only used when elevated privileges are needed to install software or perform other management tasks on the computer(s).   This account is not to be used for logging into the computer or to perform normal, daily functions where administrative access is not required.

Standard User Rights - All university office and lab computers are installed with Standard User rights by default.  This level of access provides sufficient access to perform normal daily functions; it allows university employees and students the ability to use standard applications, print, access file shares, and access the Internet.   This level of access does not allow altering of software or configurations which require changes to system-level files and settings.  This is the most secure and stable level of access.

University Employee Account – An account granted to university employees. All employee accounts have standard user rights. Employees may temporarily elevate their rights to the equivalent of a privileged account for the purposes of installing digitally signed programs and doing other admin tasks on their university computer. These privileges may be gained through the use of the PAM tool.

 

5.         Standard and Process

  1. Rationale
    1. Access rights are assigned based on the Least User Privilege standard.   For most university faculty and staff, Standard User Rights are adequate to allow use of applications and tools needed to complete work tasks in a timely fashion.   Standard User Rights prevent most malicious malware and other software compromises from being installed on or damaging computers and data.
    2. There are cases where faculty and staff computers will require Administrative User Rights to install, update, or configure necessary applications in one or more computers. The PAM tool allows for these rights temporarily when installing digitally signed programs and doing other administrative tasks. In most other cases, a request to the Information Technology Help Desk for assistance will adequately resolve this need.  In cases where a permanent need for Administrative User Rights is needed, the faculty or staff member will be required to make a formal request for Administrative User Rights access.
    3. Students are not eligible to be granted Administrative User Rights access.

 

  1. Process to Request Administrative User Rights
    1. A request to increase Administrative User Rights may be granted to faculty and staff for one or more university computers if sufficient justification can be provided related to daily job duties.  The form in the Information Technology department’s Service Catalog, “Request Administrator Access” must be completed, approved by the appropriate department level officer and forwarded to the Information Technology department. The Director of Information Technology Security (ITS) or delegate will review and respond. 
    2. If the request is approved, fulfillment of the request will be provided as described in section 5D below.
    3. If the request is declined, the requesting employee may appeal the decision to his or her department level officer who will discuss the request with the Director of ITS or delegate.  The employee may submit additional justification to support the appeal prior to the meeting between the department level officer and the Director of ITS or delegate. The department level officer will notify the employee of the outcome of that discussion. 
       
  2. Responsibilities of Employees Approved for Administrative User Rights
    1. Obtaining Administrative User Rights carries certain inherent responsibilities that must be understood by the approved employee.  Due diligence must be taken to prevent loss of data, ensure compliance with copyright law, and mitigate potential threat of compromise. Responsibilities include:
      1. Full and sole responsibility for any data stored locally on the computer. Care must be taken against loss of any and all data.
      2. Compliance with copyright and licensing restrictions.
      3. Compliance with federal, state and local laws and regulations.
      4. Ensure that application updates for any employee installed software occurs in a timely fashion.
      5. Remain cognizant of activities that have the potential to infect and compromise the computer.
         
  3. Operational Process
    1. Administrative User Rights are granted in one of two ways depending on need.
      1. Administrative User Rights are needed on an employee’s university assigned computer.
        1. Administrative User Rights will be granted in the form of increased permissions within the PAM tool.
      2. Administrative User Rights are needed to maintain multiple student use computers such as in a lab environment.
        1. APSU IT will create a second domain account (Privileged account) for the requestor. The account will be the requester’s username appended with –sa (ex: SmithJ-sa).
        2. APSU IT will add the Privileged account as an administrator on the requested computer(s) listed on the request.
        3. APSU IT will monitor the user to ensure privileges are not abused. APSU IT will conduct periodic reviews of Privileged accounts and may revoke these rights as described in the “Revocation Process” below.
        4. The Privileged account is not to be used for everyday use. For example, the requestor will not be able to log into the computer with the Privileged account; the account is only to be used when prompted during installs or other tasks requiring admin access. Use of the Privileged account is for specific computer management purposes before reverting back to the requestor’s standard APSU account. 
  4. Revocation Criteria and Process
    1. Any software issues experienced on a computer managed by an APSU employee granted Administrative User Rights on that computer will be assumed to be the result of changes made by the APSU employee. Depending on the severity of any compromise or abuse, accidental or intentional, APSU IT retains the right to remove network connectivity to the compromised computer and/or revoke the employee’s Privileged Account. Abuse, intentional or not, is defined as, but not limited to:
    2. Downloading malicious software
    3. Downloading unlicensed/illegal software
    4. Downloading copyrighted material without permission.
    5. Public exposure of Restricted and/or Private data as defined in the Information Security and Data Classification Policy (draft) policy.
    6. Not adhering to APSU Information Technology policies and procedures.
    7. Administrator User Rights granted to an employee may be revoked at any time by APSU IT if any of the following criteria are met:
      1. A single instance of malware is detected on any computer managed by the employee on more than one occasion.
      2. Multiple instances of malware are detected on any computer managed by the employee on any occasion.
      3. Any noncompliant (illegal, unauthorized, copyrighted) software or files are detected on any computer managed by the employee.
      4. Public exposure of Restricted or Private data is discovered on any computer managed by the employee.
      5. Employment status or position changes for the employee.
      6. Not adhering to APSU Information Technology policies and procedures.
    8. The following steps will be taken for revoking an employee’s Administrator User Rights:
      1. Any created Privileged Account for the employee will be terminated, including any local data on any computer(s) associated with the Privileged Account(s).
      2. Access to the PAM tool will be revoked.
      3. APSU IT will notify the employee, and the employee’s department level officer of the revocation.
      4. The computer(s) associated with the Privileged Account(s) may require remediation, not limited to, re-imaging the computer(s) to the configuration level prior to the employee being granted Administrator User Rights.
    9. Employees whose Administrator User Rights have been revoked, may re-apply for reacquisition of the rights after waiting a minimum of 90 days and after meeting with the Director of Information Technology Security to review operating system procedures and safe computing guidelines. The Director of Information Technology Security will recommend or deny re-application for Administrator User Rights after this review.
       
  5. Annual Review Process
    1. APSU IT will perform an annual reauthorization of Privileged Accounts and those granted increased permissions through the PAM tool.  Each employee granted a Privileged Account or increased permissions through the PAM tool will be requested to provide justification of continued use of the account. The appropriate department level officer must also indicate approval.  

 

6. Document Maintenance

  1. Document Owner – the Director of Information Technology Security is responsible for document content and questions, as well as document revisions.
  2. Document Approver – the Associate Vice President and Chief Information Officer for Information Technology has document approval.
  3. Effective Date – January 1, 2018
  4. Last Reviewed Date – 4/24/2024

 

Print Article

Details

Article ID: 50554
Created
Mon 3/19/18 12:48 PM
Modified
Thu 4/25/24 9:02 AM