To improve the security of our IT systems and services and ensure compliance with all aspects of the university’s Minimum Security Standard Virginia Tech has developed a new standard called the University Computer Administrator Access Standard. This new standard, developed by the Division of IT in collaboration with the IT Council, will facilitate tracking requests and approvals of administrative access rights, and creates a new process for requesting these rights.
The new standard applies to all university-owned computers or servers, as well as any system that is being used to handle high- or moderate-risk university data. The need for better control of these access rights has recently come up at Board of Visitors meetings after having been identified as a key security issue by the Office of Audit, Risk, and Compliance (OARC). The results of this change will be included in the FY22 Audit Plan for Virginia Tech.
Implementing this new standard and process will give Virginia Tech visibility into who is able to modify their computers at a higher level than a standard user, capture the reasons the access is needed, and verify that the responsibilities that adhere to these privileges are understood. It will also help the university respond more nimbly in the event of cyberattacks, theft, or other compromise to these computers. These are risks that can have severe implications for Virginia Tech, and we are committed to addressing them in a conscientious manner. Over the past few months, this new standard was piloted within the Division of IT and the College of Liberal Arts and Human Sciences, and will now begin wider implementation across the university.
Elevated or administrator rights give users the ability to make fundamental changes on a computer or server, including for example: adding or removing software, connecting to a printer or other external device, or making changes to firewall settings. Because of the risks inherent in making these changes, it’s important for those with elevated access to justify their need for it, as well as to complete training and receive approval for continued elevated access from their department head. Those who do not wish to complete these steps to retain their access rights will need to relinquish their elevated privileges, and rely on desktop support personnel to assist them when changes are needed.
The University Computer Administrator Access Standard will officially go into effect on January 1, 2022. All university employees with elevated access permissions need to request a continuation of their administrative access privileges.
The Administrative Access for Endpoints and Servers service catalog item
As you go through this process, if you are unsure of who should be reviewing your request for approval, please partner with your local IT Leadership prior to submitting the form.
Admin rights provide access to computers and accounts above those of a user. Admins have extra responsibilities and require specific security training since they can modify system files and view files and directories on a computer that are normally hidden from or unmodifiable by a standard user. Admins must act with confidentiality, as they can change the access permissions of any files on the computers they manage and can readily view the data of other users, even those stored in private “home” directories. This elevated access also allows an admin to make critical changes to the system’s configuration that, if done incorrectly, can leave the computer vulnerable to tampering or compromise by attackers.
On a Windows system, Local Administrators and Domain Administrators are typical administrative accounts. In the Linux operating system, the root user and any user with the ability to “sudo” (super user do) is considered an administrator. On a Mac, users configured with the “Allow user to administer this computer” option, members of the admin Group or any standard user with the ability to use the sudo command has administrative access.
Local accounts with administrator privileges have permissions frequently necessary to run system updates, software upgrades, and hardware usage. They can also be helpful to gain local access to machines if network services are unavailable or your organization faces some technical glitches. While this level of permission can prove to be very convenient, it requires careful planning, management, and maintenance to mitigate the risks.
People requesting admin rights should be able to demonstrate that their job duties require them to have elevated access. If this is not formally detailed in one’s job description, the need can be determined and approved by the requestor’s department head or supervisor. All requests require the consultation and approval of the department’s IT staff (if applicable) and the department head.
Admin rights should not be requested for reasons of convenience.
Administrative accounts should never be used as one’s primary account. A standard user account should be used for day-to-day business needs, and elevation to administrative access should occur only when needed.
Admins should consult with their IT staff (if applicable) to ensure any actions they take as administrators do not conflict with the access rights or configuration of the system(s) they manage or compromise the security or confidentiality of the data on the machine(s).
Any changes or actions that fall outside the scope as determined by management and the department’s IT staff should be discussed, documented, and approved.
Admins should understand and exercise the Principle of Least Privilege to ensure that only users who require access to the system and its files have it, and that their access remains the bare minimum needed.
Administrative activities and access should only be used for official university business.
Having administrative rights, as determined by the IT staff and management, may require the admin to perform various security-related duties, like patching the operating system, its software, or monitoring the system for unexpected behavior.
Yes. Administrative access can be revoked at any time as deemed necessary by the IT staff and department head.
No (with the exception of sys admins).
Revaluation is done annually (can be performed either on a rolling calendar or on a set date each year. This is determined by the approver).
The approver does this (could be on a set date or rolling calendar – their choice).
No. Currently the access does not auto expire, however approvers are responsible for managing and documenting renewal on an annual basis.