Privileged Access Policy
Last updated: November 2017
Purpose
The following policy governs privileged (root, superuser, or administrator) access to Luddy Indianapolis workstations and servers. It is designed to protect the integrity of these systems while allowing appropriate access as needed to perform required duties. This policy serves to augment Information and IT Policies published by Indiana University [1].
Scope
This policy applies to all Luddy Indianapolis own and managed computer systems.
Levels of Access
There are two security access levels on Luddy Indianapolis owned workstations and servers:
- User Access – Gives the user the rights necessary to perform normal daily computing functions. The user access level will generally assure the highest level of stability for the workstation/server. All users are granted User Access to Luddy Indianapolis systems by default.
- Privileged access (root, superuser, or administrator) – Gives the user full and unrestricted access rights on the workstation/server. This includes installing any hardware or software, editing the registry, managing the default access accounts, and changing file-level permissions. Luddy Indianapolis faculty, staff, or graduate students may request Privileged access to a workstation/server by submitting the Privileged Access Request form. Privileged access can be terminated at any time.
Risks & Assumptions
The assumption of Privileged Access on Luddy Indianapolis workstations and servers carries certain inherent responsibilities. Care must be taken due to the potential threat of compromise and compliance with Federal, State, and University regulations.
- Data Security – Luddy Indianapolis computer users who are granted Privileged Access should be aware that using an account with these privileges makes the user computing environment extremely susceptible to spyware, viruses, and potentially damaging security breaches.
- Regulatory Compliance – Luddy Indianapolis computer users who are granted Privileged Access are bound by Federal, State, and University regulations to protect sensitive data (classified as Critical, Restricted, and University-Internal [2]) from unauthorized use (FERPA, HIPAA, etc.).
- Software Licensing & Copyright Laws – Luddy Indianapolis computer users who are granted Privileged Access should be aware of copyright restrictions and licenses placed on ALL software installed on their systems, as well as being aware that there exists severe criminal and civil penalties for noncompliance. University computer users do not have the authorization to agree to any software terms and conditions (e.g., End User License Agreements) on behalf of the Luddy Indianapolis or Indiana University. ALL software, regardless of license or cost, must be approved through the Software and Services Selection Process (SSSP) [2] before it is installed.
Privileged Access Request Process
Luddy Indianapolis faculty, staff, or graduate students may request privileged access to a specific workstation/server by submitting the Privileged Access Request form.
- The faculty, staff, or graduate student completes the online Privileged Access Request Form and the request is be sent to the requestors supervisor/faculty mentor for approval.
- If the requestors/faculty approves the request, the Luddy Indianapolis IT Director or their assignee for approval.
- If the Luddy Indianapolis IT Director or their assignee approves the request, a technology support request will be created and the Luddy Indianapolis Technology Services staff will coordinate the Privileged Access set up on the specified system.
Desktop Workstations Privileged Access Restrictions
- Privileged access to workstations granted to students will be for a specific research purpose and will expire when no longer needed for that purpose.
- Privileged access granted to faculty or staff members must be for a business/research purpose.
- Privileged access will not be granted directly to a user’s primary IU account. Instead, it will be granted to a secondary “Group Account” [4] for elevation purposes. As with other IU computing accounts, group accounts are considered private. The user should not share the passphrase or allow others to use the account.
- Users will comply with all restrictions listed in IU’s IT-12 policy [5].
- Users may not change the passphrase for the Local Computer Administrator Account (usually “infoadmin” or “root”). Users may not alter any permissions for the Local Computer Administrator Account.
- Users may not modify any files except in designated user directories without the Luddy Indianapolis IT staff’s specific authorization. Specifically, no system configuration files may be modified unless expressly authorized.
- Users may not use their privileged access to examine or modify the files of any other system users.
- Users may not use their privileged access to grant other users privileged access to accounts on the system.
- Users may not add or remove users from the system.
- Users may not add or remove software and operating system components other than what than that with has been approved by .
- Users may not in any way compromise the security of the system.
Special Purpose Research Computer/Server Privileged Access Restrictions
Privileged access to workstations/servers designated for special-purpose research may be granted to users of those systems. Such special-purpose workstations/servers will not have any users’ home accounts or contain sensitive data (classified as Critical, Restricted, and University-Internal [2]). The faculty member responsible for the computer system and the IT staff will agree on mechanisms and policies governing privileged access. If necessary, the IT staff may impose other restrictions on such systems to protect the computing facility’s security. All users granted privileged access must comply with the following:
- Users will comply with all restrictions listed in IU’s IT-28 policy [6].
- Users may not change the passphrase for the Local Computer Administrator Account (usually “infoadmin” or “root”). Users may not alter any permissions for the Local Computer Administrator Account.
- Users do not have permission to modify any files except in designated user directories without specific authorization from the Luddy Indianapolis IT staff. Specifically, no system configuration files may be modified unless expressly authorized.
- Users may not use their privileged access to examine or modify the files of any other system users.
- Users may not add or remove users from the system.
- Users may not give other people access to the privileged access account or grant privileged access to existing accounts.
- Users may not add or remove software and operating system components other than what is approved by Luddy Indianapolis Technology Services staff.
- Users may not in any way compromise the security of the system.
Enforcement
The Luddy Indianapolis Technology Services staff will conduct periodic audits of privileged access on Luddy Indianapolis owned and managed systems. Any user found in violation of University or Luddy Indianapolis IT policies may have their privileged access rights terminated. Reference [1] University-wide IT policies – https://informationsecurity.iu.edu/policies/index.html
[2] There are four classification levels of institutional data at Indiana University – https://datamanagement.iu.edu/types-of-data/classifications.php
[3] About the Software and Services Selection Process (SSSP) – https://kb.iu.edu/d/aoyl
[4] Group Accounts – https://access.iu.edu/accounts
[5] IT-12 – Security of Information Technology Resources – https://policies.iu.edu/policies/it-12-security-it-resources/index.html
[6] IT-28 – Cyber Risk Mitigation Responsibilities – https://policies.iu.edu/policies/it-28-cyber-risk-mitigation/index.html