The Local Administrative Privileges Policy has been established to define the criteria for which Local Administrative Privileges for College of Architecture and Urban Studies (CAUS) computer systems may be granted and the terms and conditions upon which rights will be granted. The granting of Local Administrative Privileges to an employee for a desktop, laptop, or other end-user device managed by CAUS IT is a privilege only provided to individuals who require this level of access and control to do their jobs effectively. The goal of this policy is to describe the circumstances under which Local Administrative Privileges may be granted since these rights allow users the ability to change standard desktop configuration settings, install unlicensed software and disable other security solutions, potentially creating security weaknesses in the IT environment.
This policy applies to all employees of CAUS, contractors, consultants, temporary employees and other third parties that have access to CAUS data, network, information systems and all other IT resources.
As a general principle, users are granted the least number of privileges or limited access to the computing equipment assigned to them which are sufficient to perform their job duties. System administration, installation, and removal of software (including plug-ins and system patches) as well as repair of CAUS systems is the principal responsibility of authorized CAUS support personnel. In some circumstances— including physical distance of the system from CAUS and special technical needs—it may become necessary for the user of a CAUS computer to perform some of these tasks. This may include, but is not limited to, such things as: updating patches, installation and removal of software and other related tasks. In these cases, the CAUS employee will be granted Local Administrative Privileges for the specific computing system assigned. This means they will be given full rights and control to read, write and modify any files only on the specific computer for which rights have been granted. The employee will also be able to execute all program files and may be able to list all folder contents. If granted, Local Administrative Privileges will be supplied using a separate, unique user ID that the user will use to perform the above-mentioned administrative tasks on their CAUS computer.
Any CAUS employee needing Local Administrative Privileges will request it in writing using the Local Administrative Privileges Agreement (LAPA) form. Authorized users granted Local Administrative privileges on a CAUS-owned computer will always follow the guidelines explained in this policy. The LAPA form must be signed by the individual, the immediate supervisor, and the Director of CAUS IT before such privileged access is granted. If approved, the original LAPA form must be kept on file by CAUS IT until such time that the Local Administrative Privileges account no longer resides on a CAUS computer system.
Requests for Local Administrative Privileges on computer systems processing cardholder data will not be authorized.
Due to the ever-changing nature of technology and the changing roles of users in CAUS all requests for Local Administrative Privileges will be reviewed on an annual basis by the Director of CAUS IT. The Director will review and verify that the need stated in the request is still valid and/or that the employee still requires the approved access. Unless a change is found to exist in which the user’s need for Local Administrative Privileges is no longer required, the user’s Local Administrative Privileges will be renewed for an additional year.
As per standard procedure, CAUS IT issues user IDs that match a user’s PID and is issued per the guidelines specified in University Policy 7040: Personal Credentials for Enterprise Electronic Services. However, in the case of Local Administrative Privileges accounts, a separate naming convention must be used so that standard user accounts can be distinguished from a user accounts that have Local Administrative Privileges. Therefore, all user accounts with Local Administrative Privileges shall be in the following format:
In situations where an account already exists using the above format, a number starting at 1 and incremented as needed shall be added after the user’s last name prior to the .la. Example: jdoe1.la. This account will exist in the Active Directory and not local-only.
Any Local Administrative Privileges authorized to the individual user will only be local in nature. A local account is an account that is only issued on a specific computer and will not be supported by CAUS’s Microsoft Active Directory implementation. Administrative privileges to any CAUS network resource will be restricted to authorized CAUS technical support personnel only.
Compliance with CAUS IT Security Policies will help to assure the integrity, security, and reliability of the CAUS internal networks. It is further extended to computers not directly attached to the CAUS network, but which are owned by CAUS, to protect these valuable resources from misuse and/or accidental damage.
Users with Local Administrative Privileges share the following responsibilities, and must be able to certify to CAUS technical support staff, at any time, that they comply with the following:
- The user exercises due care and caution to ensure the integrity of the system.
- The user has reviewed and abides by all applicable copyright and licensing policies. These include, but not be limited to: CAUS IT Security Policies, any VT software copyright policy and state and/or federal laws including but not limited to the Digital Millennium Copyright Act (DMCA).
- The user has reviewed and abides by all applicable VT acceptable use policies including, but not limited to VT Policy 7000: Acceptable Use and Administration of Computer and Communication Systems.
- The user may not install software without following the expectations of the Virginia Tech Software Procurement policy. This includes providing appropriate software copies and licensing information to CAUS IT.
- Under no conditions may anyone be granted administrative privileges under this agreement to remove, alter, or reconfigure any software that has been installed by CAUS IT support personnel to assist in monitoring and/or support of any CAUS-owned computer.
- If the circumstances for which the user requires administrative privileges change, the user will notify CAUS IT via the help desk by sending an e-mail to email@example.com that the administrative privileges are no longer required.
- The user agrees to use the Local Administrative Privileges user ID exclusively for those tasks that require administrative privileges and at no time will the user log on to the computer using the Local Administrative Privileges user ID to perform tasks that could be completed using their standard user ID/account.
- The user will agree to not share the administrative account password with other users of the machine. Including colleagues and student workers. Doing so could result in revocation of the administrative rights. Any other users of the machine who also need administrative rights should use the same process.
Local Administrative Privileges may be revoked for the following reasons:
- User no longer serves in a role that requires them,
- User no longer utilizes software that requires administrative privileges,
- User is involved in a data breach that is related directly to their having administrative privileges,
- User demonstrates unsafe practices while using administrative privileges,
- The unit determines that the user no longer needs administrative privileges to perform job tasks,
- User requires excessive support from unit IT staff because of having administrative privileges,
- User fails to address issues identified by CAUS technical support personnel in the requested manner.
- User is found to have shared the administrative password with another user or student.
If a workstation for which Local Administrative Privileges have been granted under this policy is determined to be compromised in any way or determined to be the cause of problems on any CAUS network, CAUS technical support staff will take appropriate corrective steps.
- This will include disconnection of the workstation from all CAUS resources immediately and without warning. Every attempt will be made to notify the workstation owner and the immediate supervisor in advance of this action.
- This will be a request for a specific cleanup procedure, up to and including a request to allow technical support staff to reinstall the OS.
- If necessary, designated CAUS IT technical support staff will set the hard drive image back to default and reassign rights to the CAUS standard.
- The owner’s account(s) will be disabled, and network connectivity will be discontinued until the workstation is reconfigured as necessary or removed from the network.
Furthermore, Local Administrative Privileges will be revoked, without warning, if it appears there has been a deliberate attempt by the user to elevate privileges or to utilize their privileges to gain access to CAUS networks or systems to which access has not been authorized. The suspected breach of security will immediately be reported to the Dean of CAUS, to the CAUS IT Director and to an appropriate administrator representing the user’s unit.
- If necessary, an Incident Response Team may need to be assembled.
- The breach will be investigated in accordance with the procedures identified in the Acceptable Use of the CAUS Network and Data Management Systems, and the CAUS IT Security Standard on Intrusion Detection and Incident Response.
- If the suspected breach of security is determined to be unfounded, the user’s administrative privileges will be restored as soon as possible.
- Validated deliberate breaches of security will be reported, for appropriate action, to the Dean of CAUS and to the Administrator to whom the individual reports.
Decisions to revoke user administrative privileges will be made collaboratively by the Director of CAUS IT and the department head of the employee to whom Local Administrative Privileges where granted. Any decision will be based on documentation of any of the above conditions. Revocation of privileges by CAUS IT will be communicated in writing to the user upon execution.
Users may appeal a revocation decision or may request reinstatement of their previously granted Local Administrative Privileges by contacting the Director of CAUS IT in writing. The user must state the reason for the request and provide any additional information as to why the user feels that the Local Administrative Privileges should be restored. The decision process will consider the documentation and decision that led to the revocation as well as the user supplied information.
Breach: The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users, and for other than authorized purpose, have access or potential access to personally identifiable information, whether physical or electronic.
Cardholder Data: At a minimum, cardholder data consists of the full PAN (card number). Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code.
Other Virginia Tech Resources
- VT Policy 7000: Acceptable Use and Administration of Computer and Communication Systems
- VT Policy 7010: Policy for Securing Technology Resources and Services
- VT Policy 7025: Safeguarding Nonpublic Customer Information
- VT Policy 7040: Personal Credentials for Enterprise Electronic Services
- VT Policy 7100: Administrative Data Management and Access Policy