Granting and Restricting Elevated Workstation Privileges

Superseded by Administrative Privileges on University Endpoints Procedure



Table of Contents

1.  Purpose and Background
2.  Standards
     a) Granting of Workstation Privileges
     b) User Privileges
     c) Temporary Elevated Privileges
     d) Elevated Privileges
     e) Related Information
3.  Definitions
4.  Related Links
5.  Exceptions

[Return to Library]

1. Purpose and Background

The purpose of this standard is to provide guidance for workstation owners and overseers responsible for establishing user privileges on University of Virginia-owned computers.  This standard outlines operational best practices and standardized approaches to help ensure that users of University-owned workstations accessing University data are assigned the minimum level of workstation privileges necessary for successful performance of job duties.  This standard also highlights measures that must be taken with increasing privileges and data sensitivity levels in order to ensure the protection of University data and the security of the University network and other resources.  Users are also responsible for ensuring they protect University data in accordance with current University Data Protection Standards.  This standard applies to all University-owned workstations, with compliance required by March 1st, 2018

[Return to Table of Contents]

2. Standards

Granting of Workstation Privileges

In general, Workstation Managers will set privileges on a workstation for a specific user based on the highest level of sensitivity of the data that user will need to access from that workstation to perform their duties.

If a workstation will be used to access highly sensitive data, that workstation must have a full malware scan before being configured to allow access to that data.

Before granting users access to highly sensitive data, the user’s supervisor or manager must ensure the user has completed required security awareness training in accordance with University Information Security (InfoSec) guidance.

Users are responsible for ensuring they protect University data in accordance with current University Data Protection Standards.

In general, any increased risk assumed by granting increased privileges must be offset by adding compensating controls or holding users to a higher level of accountability for their actions.  The level of compensating controls must be based on the sensitivity of the data that will be accessed from a particular workstation:

For data that is “not sensitive,” additional compensating controls beyond baseline security measures could be minimal or non-existent

For data that is “sensitive,” compensating controls must be practical and balanced between ease of use and protection of the information

For data that is “highly sensitive,” compensating controls must provide the highest level of protection for the information possible that will still allow users to accomplish their required duties

Below are procedures Workstation Managers must follow when determining the appropriate level of access to provide a given user on a given workstation.  Note that these procedures are not a replacement for sound judgment.

See Table 1 below for a quick overview of workstation privileges.  Details are contained in the text following the table.

Minimum-Security Workstation.
Must only access data that is not sensitive

Workstation Privileges

Approval Level

Endpoint Security Software

User Privileges

Not Applicable

None required in addition to baseline

Temporary Elevated Privileges (Default)

None required

None required in addition to baseline

Elevated Privileges

Workstation Manager

Consider (None required)

 

Medium-Security Workstation.

Must only access data that is sensitive or not sensitive (not highly sensitive)

Workstation Privileges

Approval Level

Endpoint Security Software

User Privileges

Not Applicable

None required in addition to baseline

Temporary Elevated Privileges (Default)

None required

None required in addition to baseline

Elevated Privileges

Supervisor & Data Security Lead

Consider (None required)

 

High-Security Workstation.

May access data that is highly sensitive.

Workstation Privileges

Approval Level

Endpoint Security Software

User Privileges (Default)

Not Applicable

In monitoring mode (logging)

Temporary Elevated Privileges

Supervisor and Data Security Lead

With Practical Security Settings (click through)

Elevated Privileges

Data Security Lead and VP/Dean or their Designee

With Highest Practical Security Settings (whitelisting)

 

Table 1:

User Privileges

If users are working with highly sensitive data, Workstation Managers must assign User Privileges as the default level of privilege and install endpoint security software in monitoring mode (as a minimum).  Only those user privileges strictly necessary for users to perform their intended duties must be assigned.

User privileges must also be considered in cases where users are able to perform their assigned duties without the need for higher privileges or for workstations that are available for general use (such as those in classrooms or common areas).

Temporary Elevated Privileges

Temporary Elevated Privileges includes:

- Providing users with two accounts, one with user privileges for day-to-day use, and one with elevated privileges for infrequent use when required.  Workstation Managers must consider blocking direct access to the account with elevated privileges if doing so will allow users to perform their required duties; this will require the user to use some form of user access control from within the account with user privileges.

- Providing users with a one-time password that allows them temporary elevated privileges

- Installing a tool on the workstation that provides the user with elevated privileges for specific applications.

Workstation Managers must assign Temporary Elevated Privileges as the default level of privilege for university workstations unless that workstation will be used to access highly sensitive dataWorkstation Managers must consider assigning user privileges  in cases where users are able to perform their assigned duties without the need for higher privileges or for workstations that are available for general use (such as those in classrooms or common areas).

If users require temporary elevated privileges on workstations that will access highly sensitive data, the user must obtain written permission from their supervisor and data security lead prior to being granted the access.  This written permission must be reviewed and validated annually. Before granting the privileges, Workstation Managers must install endpoint security software on the workstation with practical security settings (as a minimum).

If the user has two accounts (one with user privileges and one with elevated privileges), users should normally access highly sensitive data only when logged in to an account with user privileges and only log in to the account with elevated privileges when absolutely required.

Elevated Privileges

Whenever elevated privileges are assigned, Workstation Managers must consider whether additional protective measures should be taken such as installing endpoint security software with appropriate security settings.

Workstation Managers may provide elevated privileges upon request for workstations that will only access not sensitive data.

If a user requires elevated privileges on a workstation they will be using to access sensitive data, the Workstation Manager may grant them privileges as long as the user has obtained written permission from their supervisor and data security lead.  This written permission must be reviewed and validated annually.

If a user requires elevated privileges but will need to access highly sensitive data on the workstation, they must first get written permission from their data security lead as well as their dean or assistant vice president equivalent or their designee.  This permission may be granted on an individual basis or on a departmental basis by job title or description of duties.  Written permission must be reviewed and validated annually. If elevated privileges are granted on a workstation that will access highly sensitive data, the Workstation Manager must ensure that strong compensating controls are put in place, such as installing endpoint security software on the workstation with the highest practical security settings.

Related Information

Exceptions to these standard operating procedures must be approved at the approval level documented in Table 1.

[Return to Table of Contents]

3. Definitions

See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.

[Return to Table of Contents]

4. Related Links

[Return to Table of Contents]

5. Exceptions

If you think you need to request an exception to these requirements, please refer to the Exceptions Process.

[Return to Table of Contents]

APPROVER: Chief Information Officer