Administrative accounts allow you to install and remove software from a computer, and make changes to the computer's operating system. Each computer must have one or more administrative accounts to perform maintenance and repairs.
A significant number of system compromises are due to poor security practices and actions performed by end users with administrative privileges on their computers. LAITS respects the need for some users to have administrative access on their computers, provided that best practices and campus policies are followed. In order to clearly communicate those expectations, this document provides guidelines and practices for all users with administrative account permissions.
All users with administrative accounts are required to comply with the following policy as directed by the Information Security Office (ISO).
5.8 When access to a university-owned IT device's administrative account is required by someone other than an IT Support Staff member, the following exception criteria must apply:
5.8.1 Individuals must annually complete the Acceptable Use Acknowledgement form;
5.8.2 Individuals must only use the administrative account for special administrative functions and default to a lower privileged user account for other day-to-day use;
5.8.3 Individuals must review training to inform them how they can limit use of their administrative access and still accomplish their primary day-to-day functions (example: How not to Login as Administrator (and still get your job done);
5.8.4 IT System Custodians are required to periodically review the use of administrative account exceptions.
18.104.22.168 IT System Custodians will remove any administrative accounts that go unused or are no longer required; and
22.214.171.124 IT System Custodians are required to raise inappropriate use to management (e.g., staying logged in with the administrative account longer than needed).
Name of Administrative Account
Administrative accounts are named in a standard pattern to both easily identify administrative accounts and ensure consistency in support. Administrative accounts for end users shall consist of the EID of the person, with the addition of '-admin' in lowercase letters, (e.g., lewisjj-admin).
To ensure the integrity of the administrative account, it must have a strong password and be familiar and easy for the end user to remember. As the EID password already meets both of those requirements, we strongly recommend the end users use a password that is composed of their EID password with an additional word or phrase such as a pet's name, a family member's name, or a significant date.
End users with administrative accounts have an account that could cause harm to their computer operability if used incorrectly or maliciously on their computer. To ensure the security and the supportability of the computer, the end user must agree to the following responsibilities.
- Do not rename the computer
- Do not delete or modify the IT Support administrative account(s)
- Do not modify firewall settings
- Do not activate file sharing
- Do not activate remote access
- Do not uninstall systems management software
- Do not remove or disable antivirus
- Do not wipe or re-install the operating system