Elevated User Rights

Last Revised: January 10, 2019

Refer Questions to: Executive Director, Gallaudet Technology Services

Purpose

This document provides a framework for the management of Elevated User Rights (EUR) requests, also commonly known as ‘admin rights’ on desktop systems.

This policy incorporates feedback from Client Support Services and is approved by the Information Security Officer and Chief Information Officer.

Scope

The policy covers machines, commonly described as desktop systems running Windows, Linux or Mac:

• Workstations
• Laptops

These machines are University owned and connected to any of the University’s networks: wired, wireless, or virtual private network (VPN) from remote sites.

Systems run as ‘Servers’ by Data Center Operations team are not covered under this policy as usage is more restricted and controlled.

Systems such as embedded experimental, monitoring, control systems, or medical equipment are unlikely to be covered under this policy, unless it’s a dual purpose PC also used as a desktop system.

Policy

Raison d’etre

This policy exists to support the University’s IT strategy to deliver efficient, secure, and cost-effective IT solutions while supporting University colleagues in variety of approaches to teaching, research, and enterprise.

If you have a University issued computer, you will not usually have administrator level access on your machine. This is because the computer has been configured as part of central managed service to automatically receive updates and security patches.

This allows us to reduce the total cost of ownership of computers by having standard, easily supported configurations and ensures that University network and users are not put at risk by computers having incorrectly configured or malicious software accidentally installed on them.

The controlled management of EUR is vital to the business of University to ensure:

• Users have a secure and reliable desktop experience.
• The potential for security risks is minimized.
• Data is protected from corruption, misuse, or breach of law.
• Better support response time for systems with known configurations.
• Software is properly licensed.
• Global updates can be deployed and applied quickly.

Systems with EUR are kept to a minimum because there is always an increased risk from malicious software, cyber attacks, or corruption. Vital data can be lost and time lost from restoring the system.

General Principles for granting EUR

GTS recognizes that some staff need to have EUR in order to do their University work. All requests will be reviewed on a case-by-case basis and if approved, the implementation of EUR will also vary based on the need or the device being used. Such systems are kept to a minimum, so not all requests will be necessarily approved or may be approved on a temporary basis.

Users who submit the EUR request have demonstrated the ability to configure and manage their workstations and who possess an understanding of the responsibility of maintaining appropriate security measures. They are able to maintain the integrity of their desktop system and routinely check for and eliminate malware.

Your supervisor or head of department will be consulted with and has agreed with your need for EUR. Justified requests will be reviewed by Information Security Officer and Chief Information Officer.

Key things to know

The following GTS policies need to be read, understood, and acknowledged before EUR can be granted.

The user agrees to adhere to the these GTS Policies:

• Technology Acceptable Use Policy
• E-mail Policy
• Wireless and Network Security Policy
• Data and Information Policy

Once EUR is assigned, your machine will be considered non-standard.

Keep a backup of your data in central file store or cloud file store.

If there is a machine malfunction, GTS staff will do their best to restore service as quickly as possible. However, if the machine has been assigned EUR, there may be some changes that GTS staff know nothing about. We can only offer a guarantee of restoring the latest version of standard PC deployment. We encourage data to be backed up on central file stores or cloud file stores.

If your PC breaks and the only way to fix it is to wipe it and return it to a standard configuration, you will be responsible for re-installing additional software that you have previously installed.

EUR will be withdrawn if a machine is repeatedly corrupted or compromised. The original base image will be restored on the desktop system.

You are only permitted to elevate to install or run software that:

1. cannot be run without administrative rights.
2. is specifically for University business.
3. is in full compliance with all University regulations.
4. has been appropriately licensed.
5. is not considered insecure.

Do not use EUR to:

• remove or modify GTS administrator account
• update or modify automatically installed software or software that came with the standard configuration, including the Operating System (OS). The additional software you installed separately can be updated using EUR.
• disable or remove anti-virus software.
• access other people’s data.
• remove your computer from the Gallaudet Domain.
• modify the network settings.
• login the system with the administrative account.
• block or disable GTS from deploying system patches, application software patches, anti-virus updates.

If a user abuses his/her administrative access, GTS will revoke this access immediately and will restore the original base image on the computer. Abuse is defined as, but not limited to:

• using software that is malicious to the Gallaudet network or users.
• downloading unlicensed/illegal software.
• downloading copyrighted material without permission.
• downloading malware.
• public exposure to sensitive data.
• not adhering to GTS policies and procedures as outlined in the aforementioned policies.

Violation of this policy or repeated support problems will result in revocation of the EUR and/or other sanctions.

Disclaimer for users assigned with EUR

The user is informed of the potential risks running a system with EUR. These risks may result in damage to the Operating System and software applications and there may be loss of data. The user is personally responsible for the protection and backup of data.

If any major issues occur as a malware outbreak, corruption, configuration breakage, or disruption to the University’s IT infrastructure or network, the issue must be reported right away to GTS so that we can aid in the prevention of further disruptions and recovery of the original PC functionality.

GTS cannot be held responsible or made liable for any loss of data and/or damages caused thereafter.

Procedures

Applying for Elevated User Rights

For audit purposes, Gallaudet must have on file documentation showing that Elevated User Rights have been formally requested and approved. If a Gallaudet employee, would like to apply for EUR, they must follow these steps:

1. Send a ticket to Help Desk, asking for Elevated User Rights. In the ticket, list who your unit head and dean/executive director are.
2. Wait for the link to EUR request form to arrive in your inbox.
3. Fill out the EUR request form via Adobe Sign.
4. Once all parties sign off on the request and the request is approved, EUR will be granted.

Last Reviewed: 11/04/2019