End-user Workstation Administrative Privileges Standard

End-user Workstation Administrative Privileges

Scope

This standard applies to all university-owned workstations running a Windows, Macintosh, or Linux desktop operating system.

Reason for Standard

This standard exists to support the University’s IT strategy to deliver efficient, secure, and cost-effective IT solutions while supporting University colleagues in variety of approaches to teaching, learning, research and enterprise. Some more specific reasons for supporting this standard are:

  • To follow recommended security practices from leading cyber security advisors.
  • To reduce software/freeware downloads infected with malware/spyware and protect university data.
  • To reduce the risk of widespread computer infection and ransomware attacks.
  • To reduce the risk of compromised data, which, if breached, has the potential to have serious negative implications for the institution.
  • To increase technical staff productivity by staying in a proactive mode of operation rather than reactive.
  • To limit the software installation on university-owned machines to appropriately reviewed and licensed software.

Standard

By default, all members of the university community using campus-owned workstations are granted the “Standard User” access level on their individual workstations. University-owned workstations are configured as part of central managed service to automatically receive software, secure configurations, updates and security patches, so administrative privileges are not necessary in most cases.

The Principle of Least Privilege. All University employees should use the least set of privileges necessary to operate their computers. By adhering to this principle, we limit the damage that can result from a poorly written application, viruses, malware, ransomware, an accident, or error.

Division of Information Technology will provide local computer “Administrator” privileges when it has been determined that there is a valid business case for needing it. All requests will be reviewed on a case-by-case basis, and if approved, workstation admin rights will be granted.  The usage and necessity of all end-users with workstation admin access shall be audited every six months.  To continue possessing an account, a valid business purpose must still continue to exist.

Administrative Privilege Acceptable Use

Users who are issued an administrative privileges agrees to adhere to the following University IT policies:

  1. Acceptable Use Policy (AUP): https://www.umsystem.edu/ums/rules/collected_rules/facilities/ch110/110.005_acceptable_use_policy/
  2. Security requirements for the UM Data Classification System: https://www.umsystem.edu/ums/is/infosec/sections-workstation
  3. Management, Access, and Use of IT Resources Policy: https://www.umsystem.edu/ums/policies/general_administration/it_resources

You are only permitted to use your administrator access to install or run software that:

  1. cannot be run without administrative rights.
  2. is specifically for university business.
  3. is in full compliance with all University regulations.
  4. has been appropriately licensed.
  5. is not considered insecure.

User acknowledges that Division of IT staff may inspect their workstation at any time, including execution of software compliance reports and software inventory reports on a periodic basis via manual or automated processes.  User further agrees to provide licenses or purchase documentation for all software discovered during a software compliance review.

Do not use your administrator access:

  1. to add, remove or modify any other administrator accounts.
  2. to update or modify automatically installed software or software that came with the standard configuration, including the Operating System (OS).
  3. to disable or remove anti-virus software.

If administrative privileges are abused, the Division of IT will revoke this access immediately.  In addition, the user understands that any modifications made to the workstation that disrupts the usability of the system or software will not be the responsibility of the Division of IT to troubleshoot or repair, and in the event of system instability or unusability, the Division of IT will return the computer to a fresh image state.  The user will be responsible for restoring data that was stored locally on the workstation, as well as any additional software that the user installed.

Abuse is defined as, but not limited to:

  • using software that is malicious to the Universities network or users.
  • installing unlicensed/illegal software.
  • downloading copyrighted material without permission.
  • installing malware.
  • public exposure to sensitive data.
  • not adhering to University IT policies and procedures.

Requesting an administrative account

If you need administrative privileges to do your job, please contact your IT Professional or Help Desk to start the approval process.

Frequently Asked Questions