1. Purpose and Background
2. Procedures
a) Endpoint Managers
b) Granting Administrative Privileges
c) Temporary Elevated Privileges
d) Persistent Elevated Privileges
e) Inventory of Accounts with Administrative Privileges
f) Required Reporting
3. Definitions
4. Related Links
5. Exceptions
REVISION HISTORY: New-December 20, 2022
1. Purpose and Background
The purpose of this procedure is to dictate the processes and documentation required for meeting the requirements for endpoint owners and endpoint managers responsible for establishing user privileges on University of Virginia-owned devices. The Information Security of University Technology Resources policy (IRM-004) states that effective security practices are necessary to protect the University’s computing infrastructure.
Administrative privileges grant users complete control over most functions and features of the operating system and applications and should only be granted where there is a legitimate business need. A user operating an endpoint with administrative privileges may unintentionally modify system files, change configurations, or install unauthorized and/or malicious software. These changes could lead to a breach of the endpoint and/or loss or unauthorized access to University data. To better secure IT resources, the University must limit a user's privileges to the minimum level necessary to perform their assigned job duties.
2. Procedures
Endpoint Managers
Endpoint managers are responsible for endpoint maintenance, which includes provisioning administrative privileges and coordinating operational activities for their assigned endpoints. Endpoint managers must:
- maintain an asset inventory of all endpoints on which the assigned user has elevated administrative privileges,
- include any endpoint managers assets in this asset inventory,
- maintain this inventory as described in the Inventory of Accounts with Administrative Privileges section below,
- only provision administrative privileges on an endpoint if it meets the requirements of this standard.
Endpoint managers must only grant a user elevated privileges on an endpoint when all of the following conditions are true:
- Administrative privileges are necessary for the performance of a user’s assigned duties on that endpoint.
- The endpoint is not publicly accessible.
- The endpoint is not assigned to multiple users.
- The endpoint meets the minimum security requirements established by the Security of Networked Devices Standard.
Additional restrictions apply to all devices, whether personally- or University-owned, that access, collect, display, generate, process, store, or transmit Highly Sensitive Data (HSD). Such endpoints or devices must not be configured for persistent elevated administrative privileges unless the endpoint or device complies the Protection of Highly Sensitive Data Standard and Procedure as well all other University IT policies.
Granting Administrative Privileges
The table below outlines the controls required for an endpoint operated by a user with persistent administrative privileges on the endpoint relative to the classification of the data or server type accessed by the endpoint.
Required Controls for Endpoints by Data Classification for a user with persistent elevated administrative privileges on an endpoint that accesses servers with | |
---|---|
Highly Sensitive Data or mission critical | Sensitive Data or Internal Use Data or Public Data |
Application control software must be active and detect potentially malicious changes to an endpoint's operating system or security configuration. Indicators of compromise are reported to the endpoint manager for remediation*. All applications must be reviewed and approved by the endpoint manager. | The controls listed under the HSD column are recommended but not required for sensitive data, internal use data, or public data. |
* Note: Remediation guidance for endpoint managers can be found at Information Security Incident Report Guidance for Information Technology Professionals.
Additional restrictions apply to all devices or endpoints, whether personally- or University-owned. All devices must meet the Security of Connected Devices standard and all other University IT policies.
In addition all devices or endpoints that access, collect, display, generate, process, store, or transmit Highly Sensitive Data (HSD) must not be configured for elevated administrative privileges unless the endpoint or device complies with the Protection of Highly Sensitive Data Standard and Procedure and all other University IT policies.
Temporary Administrative Privileges
A user's administrative privilege is only considered to be temporary if it meets the following two conditions:
- The temporary access is explicitly approved by the endpoint manager.
- The temporary access is terminated within five calendar days of the access being provisioned.
The endpoint must be secured in accordance with this standard.
Persistent Administrative Privileges
A user's administrative privilege is considered to be persistent if it meets the following two conditions:
- The persistent access is explicitly approved by the endpoint manager.
- The persistent access is granted for longer than five (5) calendar days from when the access is provisioned.
Users with access to an account that can install new applications/software or make system-level changes to a device’s configuration are considered to have persistent administrative privileges.
The endpoint must be secured in accordance with this standard.
Inventory of Accounts with Administrative Privileges
The endpoint manager is required to create and maintain an up-to-date inventory of accounts on endpoints with administrative privilege. The inventory must include the following information:
- a unique device identifier such as a Media Access Control (MAC) address, serial number, or an internally designated ID by the unit (e.g. Laptop###);
- user’s computing ID and name associated with the device;
- the date the access was granted; and,
- the level of access maintained by the user.
This inventory may be requested by University Audit or others. University Information Security encourages keeping these inventories with existing departmental device inventories and reserves the right to request this information as needed.
Required Security Incident Reporting
Anyone who suspects or knows of a compromise of their endpoint or device or account must, within one (1) hour from the time the incident is identified or suspected:
- take immediate action to take the device off the network
- keep the device running and logged on (do not power off),
- notify the appropriate systems administrator, and
- report the incident at the "Reporting an Information Security Incident” webpage (preferred) or by telephoning (434) 924-4165.
3. Definitions
See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.
4. Related Links
- Information Security Incident Report Guidance for IT Professionals
- Information Security of University Technology Resources policy (IRM-004)
- Protection of Highly Sensitive Data Standard
- Protection of Highly Sensitive Data Procedure
- Reporting an Information Security Incident Procedure
- Security of Connected Devices
5. Exceptions
If you cannot meet this standard’s requirements, you must use the policy exception request process.