Administrator rights means that the day to day user of the computer in question has the ability to install, uninstall, modify, delete, alter or add-to, any file on the entire computer, including system files.
During a recent audit, it was pointed out to the Office of Information Technology that it is considered a best practice by TBR that University computer users should not be administrators on the computer, on their desks. This is due to the fact that many instances of malware or viruses only function on computers where the user has administrator rights. Examples of such are:
Rootkits
Keyloggers
Cryptolockers
Trojan horses
These intrusions not only affect a single computer, but once they enter an APSU computer, they can travel across the University network and affect an entire department, building or the whole campus.
Many of these intrusions only function on computers where the user has admin rights to the computer. When those rights are removed, the risk of virus/malware infection is highly reduced. It has been shown that in networks where the computer users do not have admin rights, the instance of spyware or virus infection has dropped dramatically.
Other Tennessee Board of Regents schools have been issued the same audit finding and have removed administrator rights from their campus computers as well. One TBR school reports they only have six individuals with administrator rights on the entire campus and that university business has not been impacted.
While this is admittedly a huge change in culture for our campus, it is a necessary one. The nature of computer intrusions is changing and in order to protect ourselves and our students, we have to change as well. On normal daily usage, the only things this change would affect would be the legitimate installation of APSU campus approved software, occasionally the installation of printers and some software updates.
To those users whose job duties require them to have administrator privileges, there is a form on the Help Desk and OIT webpages to be filled out, so that user can request a dedicated admin account to be used for those particular job duties.
All other users will have to contact the Technology Help Desk in order to have those functions performed for them.