Overview

Administrative accounts allow you to install and remove software from a computer, and make changes to the computer's operating system. Each computer must have one or more administrative accounts to perform maintenance and repairs.

A significant number of system compromises are due to poor security practices and actions performed by end users with administrative privileges on their computers. LAITS respects the need for some users to have administrative access on their computers, provided that best practices and campus policies are followed. In order to clearly communicate those expectations, this document provides guidelines and practices for all users with administrative account permissions.

A one-page summary of the requirements for an end user is available.



Policy Requirements

All users with administrative accounts are required to comply with the following policy as directed by the Information Security Office (ISO).

UT-IRUSP Standard 5: Administrative/Special Access Accounts

5.8 When access to a university-owned IT device's administrative account is required by someone other than an IT Support Staff member, the following exception criteria must apply: 

5.8.1 Individuals must annually complete the Acceptable Use Acknowledgement form

5.8.2 Individuals must only use the administrative account for special administrative functions and default to a lower privileged user account for other day-to-day use; 

5.8.3 Individuals must review training to inform them how they can limit use of their administrative access and still accomplish their primary day-to-day functions (example: How not to Login as Administrator (and still get your job done);

5.8.4 IT System Custodians are required to periodically review the use of administrative account exceptions. 

5.8.4.1 IT System Custodians will remove any administrative accounts that go unused or are no longer required; and 

5.8.4.2 IT System Custodians are required to raise inappropriate use to management (e.g., staying logged in with the administrative account longer than needed).



Description

Department Head Approval

Liberal Arts Instructional Technology Services requires the approval of the department head (chair, director, or equivalent position; or their designate) before providing administrative accounts for faculty or staff in their department. This will typically be implemented as a guideline for the department based on the roles of the end users. This approval will be reviewed with the department head whenever there is a change in person occupying that role. 

Name of Administrative Account

Administrative accounts are named in a standard pattern to both easily identify administrative accounts and ensure consistency in support. Administrative accounts for end users shall consist of the EID of the person, with the addition of '-admin' in lowercase letters, (e.g., lewisjj-admin).

Password Complexity

To ensure the integrity of the administrative account, it must have a strong password and be familiar and easy for the end user to remember. As the EID password already meets both of those requirements, we strongly recommend the end users use a password that is composed of their EID password with an additional word or phrase such as a pet's name, a family member's name, or a significant date.

Responsibilities

End users with administrative accounts have an account that could cause harm to their computer operability if used incorrectly or maliciously on their computer. To ensure the security and the supportability of the computer, the end user must agree to the following responsibilities.



Implementation

Procedure

End user administrative accounts are created by LAITS desktop support specialists using the following procedure: End User Administrative Account Creation Procedure.

Review and Enforcement

End users with administrative access are reviewed on an annual basis to identify users who are using their administrative account for day-to-day use. Those users will be contacted directly and reminded of the policy requirements. Users that refuse to comply will have their administrative account removed.

Limitations

  • An end user with administrative privileges can circumvent anything else we try to do to manage the computer.
  • IRUSP 5.8.2 requires the periodic review to identify users who use administrative accounts for day-to-day usage, or have an administrative account but don't use it. Existing tools are limited in their ability to report on these scenarios. Current IT systems management applications can report on whether the user currently logged on to a computer has administrative privileges, but doesn't have the ability to provide longitudinal information on the account's usage.