To accompany KB0013015, which gives an overview of the principles behind granting administrative privileges and how to apply, the document sets out the general terms of use once approval has been granted.
Granting of administrative privileges to non-IT staff or students is according to, but not limited to, the following bases:
General
- Accounts are granted on a per user, per machine basis. Separate applications must be made for each requirement.
- Permissions are granted on a time-limited basis and may be reviewed by IT at any time, ideally every 6 months.
- Changes in automated service delivery or device management may mean you need to longer have a valid case for having an administrative account.
- If your machine is replaced or re-imaged, this will be a trigger for a review of your administrative privileges.
- Any historical approval for administrative privileges does not mean you will be granted an account in future or in perpetuity.
Credentials
- Credentials must be unique. If you have administrative accounts on multiple machines, your username may be the same, but your password must differ on each device.
- Credentials must not be exposed or shared with anyone, including IT.
- Actual or suspected breaches of your account must be reported to the IT Service Desk immediately.
- Passwords must conform to the minimum complexity rules as laid out in KB0011143.
Account usage
- You must not log into your administrative account unless instructed to do so by IT, and then only for specific, pre-agreed purposes and for as short a time as possible. Your administrative account is provide for on-demand privilege elevation purposes only.
- You must continue to use your standard account for day-to-day operations.
Precluded activities
Having administrative privileges does not mean you have “carte blanche” to perform any task or operation. In particular, unless specifically granted, users must not:
- alter or harm system security or integrity (e.g. change registry / firewall / Gatekeeper / screensaver / session timeout / encryption settings or alter device management configuration measures) or otherwise make changes which may interfere with pre-configuration by IT
- alter or remove anti-virus software installed by IT
- install any secondary anti-virus or firewall measures
- change pre-boot (BIOS / EFI) settings or passwords
- perform operating system upgrades i.e. from one major version to another other than via pre-approved methods such as Self Service (updates within the current release should be installed as soon as possible after their release)
- re-image or attempt to re-image the device
- update drivers
- change the device from one operating system to another
- install non-approved operating systems
- create a dual boot environment
- change domain binding or other directory settings
- re-name the device
- create, change or remove other user accounts (you may change the password for your own accounts via approved methods)
- alter certain networking settings e.g. setting a static IP address on the University network
- attempt to access file storage areas for accounts on the device which you do not own
Software
- Software installations must comply with all End User Licence Agreements (EULA).
- Where applicable, you will be responsible for ensuring any licence fees are paid.
- Freeware may have certain conditions which exclude business or educational use. Personal use may not legitimately apply.
- You are responsible for checking the licence agreements for all software you install.
- You must immediately uninstall anything you have installed which is found not to be compliant with EULA or applicable laws.
Conclusion
If in doubt, please contact the IT Service Desk for advice and clarification.