This document describes the guidelines that University Computing Support Services ("UCSS") has developed to ensure secure use administrator or privileged access rights on University of Louisiana Lafayette (“University”) computing systems.
This Guideline applies to all University system and application administrators and any other personnel who are provided with Administrator Access to University computing and information resources.
Purpose of the Guideline
The University Policy Governing the Granting of Administrative Rights establishes a general practice for the use such account for work-related computing. The purpose of this Guideline is to instruct users on the appropriate use of Administrator Access on University computing and information resources.
Furthermore, this Guideline introduces effective practices such as Principle of Least Privilege, aimed at reducing the opportunity for intruders to gain access to privileged accounts, decreasing the occurrence of stealth installations of malicious software, and eliminating the installations of unlicensed software.
Administrator Access – A level of access above that of a normal WIN domain user.
This definition is ambiguous to allow accommodation of varying systems and authentication mechanisms.
For most purposes (e.g., day to day user activity) the administrator access is not required to perform the task at hand.
Principle of Least Privilege – All users should log on with a user account that has the absolute minimum permissions necessary to complete the job functions.
University Requirements for Provisioning Administrator Access/Accounts
- There should not exist more than three (3) Administrator Accounts for a Department.
- A Department is defined by a Director, Department Head, or Dean.
- The Directors, Department Heads, and Deans are responsible for the integrity of the computing systems in their departments, therefore their approval is required to grant Administrator Access. As the approver of this access, they are responsible for the appropriate use of the Administrator Account
- Administrator Access will not be provisioned locally. This access is created via Active Directory.
Functions of Administrative Account Holders
Windows or OS X Operating System accounts are to be used for the following:
- Install, Upgrade or Remove software that directly pertains to your department.
- Collaborate with Central IT to maintain computer systems in your department.
- Subscribe to the IT Manager’s List to stay informed with what is the ongoings of Central IT.
- Work with UCSS and STEP to maintain proper licensing of software.
- Assist other employees in your department with technical issues.
- Administrative Account holders are considered a technical contacts for their department and will be called upon for assistance from Central IT to service their department.
- Administrative Account holders will be added to Sophos Anti-Virus email list and are expected to read and maintain those virus alerts for their area.
Administrator Access/Accounts are NOT to be used for the following:
- Installing personal software on any University computing system.
- installing unlicensed software on any University computing system
- Wipe/Remove/Change or Disable any Accounts configured on University computing systems that UCSS has added.
- Wiping and Reinstalling Operating Systems on University computing systems unless otherwise instructed by Central IT.
Creating local administrator accounts on University computing systems.
If you are using Administrator Access to create local accounts for other’s to install software you are not performing your duty as a Departmental Administrator and your account will be disabled immediately.
Administrator Access/Accounts may NOT be issued because:
- Central IT is able to meet the general IT needs of your department.
- Your department has a paid IT Manager that can facilitate all administrator duties.
- Your department is using its 3 designated administrative accounts.
Administrator Access/Accounts are regularly audited for compliance. UCSS in conjunction with the IT Security Office reserves the right to disable Administrator Access/Accounts at any time for non-compliance. The IT Security Policies can be found here.
Guideline Established/Posted: 2/2/2015