Administrative Privileges on University Endpoints Procedure


Table of Contents

1.  Purpose and Background
2.  Procedures
     a) Endpoint Managers
     b) Granting Administrative Privileges
     c) Temporary Elevated Privileges
     d) Persistent Elevated Privileges
     e) Inventory of Accounts with Administrative Privileges
     f) Required Reporting
3.  Definitions
4.  Related Links
5.  Exceptions

REVISION HISTORY:  New-December 20, 2022

[Return to Library]


1. Purpose and Background

The purpose of this procedure is to dictate the processes and documentation required for meeting the requirements for endpoint owners and endpoint managers responsible for establishing user privileges on University of Virginia-owned devices.  The Information Security of University Technology Resources policy (IRM-004) states that effective security practices are necessary to protect the University’s computing infrastructure. 

Administrative privileges grant users complete control over most functions and features of the operating system and applications and should only be granted where there is a legitimate business need. A user operating an endpoint with administrative privileges may unintentionally modify system files, change configurations, or install unauthorized and/or malicious software.  These changes could lead to a breach of the endpoint and/or loss or unauthorized access to University data. To better secure IT resources, the University must limit a user's privileges to the minimum level necessary to perform their assigned job duties.  

[Table of Contents]


2. Procedures 

Endpoint Managers

Endpoint managers are responsible for endpoint maintenance, which includes provisioning administrative privileges and coordinating operational activities for their assigned endpoints.  Endpoint managers must: 

  • maintain an asset inventory of all endpoints on which the assigned user has elevated administrative privileges,
  • include any endpoint managers assets in this asset inventory,  
  • maintain this inventory as described in the Inventory of Accounts with Administrative Privileges section below,
  • only provision administrative privileges on an endpoint if it meets the requirements of this standard. 

Endpoint managers must only grant a user elevated privileges on an endpoint when all of the following conditions are true:

Additional restrictions apply to all devices, whether personally- or University-owned, that access, collect, display, generate, process, store, or transmit Highly Sensitive Data (HSD).  Such endpoints or devices must not be configured for persistent elevated administrative privileges unless the endpoint or device complies the Protection of Highly Sensitive Data Standard and Procedure as well all other University IT policies.


Granting Administrative Privileges

The table below outlines the controls required for an endpoint operated by a user with persistent administrative privileges on the endpoint relative to the classification of the data or server type accessed by the endpoint.

Required Controls for Endpoints by Data Classification
for a user with persistent elevated administrative privileges on an endpoint that accesses servers with
Highly Sensitive Data
or mission critical 
Sensitive Data or Internal Use Data or
Public Data
Application control software must be active and detect
potentially malicious changes to an endpoint's operating system or security configuration.  
Indicators of compromise are reported to the endpoint manager for remediation*. 
All applications must be reviewed and approved by the endpoint manager.
The controls listed under the HSD column are recommended but not required for
sensitive data, internal use data, or public data.

* Note: Remediation guidance for endpoint managers can be found at Information Security Incident Report Guidance for Information Technology Professionals.

Additional restrictions apply to all devices or endpoints, whether personally- or University-owned.  All devices must meet the Security of Connected Devices standard and all other University IT policies.  

In addition all devices or endpoints that access, collect, display, generate, process, store, or transmit Highly Sensitive Data (HSD) must not be configured for elevated administrative privileges unless the endpoint or device complies with the Protection of Highly Sensitive Data Standard and Procedure and all other University IT policies.


Temporary Administrative Privileges

A user's administrative privilege is only considered to be temporary if it meets the following two conditions:

  1. The temporary access is explicitly approved by the endpoint manager.
  2. The temporary access is terminated within five calendar days of the access being provisioned. 

The endpoint must be secured in accordance with this standard.

Persistent Administrative Privileges

A user's administrative privilege is considered to be persistent if it meets the following two conditions: 

  1. The persistent access is explicitly approved by the endpoint manager.
  2. The persistent access is granted for longer than five (5) calendar days from when the access is provisioned. 

Users with access to an account that can install new applications/software or make system-level changes to a device’s configuration are considered to have persistent administrative privileges.
The endpoint must be secured in accordance with this standard.


Inventory of Accounts with Administrative Privileges

The endpoint manager is required to create and maintain an up-to-date inventory of accounts on endpoints with administrative privilege. The inventory must include the following information:

  1. a unique device identifier such as a Media Access Control (MAC) address, serial number, or an internally designated ID by the unit (e.g. Laptop###);
  2. user’s computing ID and name associated with the device;
  3. the date the access was granted; and,
  4. the level of access maintained by the user.

This inventory may be requested by University Audit or others.  University Information Security encourages keeping these inventories with existing departmental device inventories and reserves the right to request this information as needed. 


Required Security Incident Reporting 

Anyone who suspects or knows of a compromise of their endpoint or device or account must, within one (1) hour from the time the incident is identified or suspected: 

  • take immediate action to take the device off the network
  • keep the device running and logged on (do not power off),
  • notify the appropriate systems administrator, and
  • report the incident at the "Reporting an Information Security Incident” webpage (preferred) or by telephoning (434) 924-4165. 

[Table of Contents]


3. Definitions

See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.

[Table of Contents]


4. Related Links

[Table of Contents]


5. Exceptions

If you cannot meet this standard’s requirements, you must use the policy exception request process.

[Table of Contents]

APPROVER: Chief Information Security Officer