Privileged Access Policy

Purpose

The following policy governs privileged (root, superuser, or administrator) access to School of Informatics and Computing (SOIC) workstations and servers. It is designed to protect the integrity of these systems while allowing appropriate access as needed to perform required duties. This policy serves to augment Information and IT Policies published by Indiana University [1].

Scope

This policy applies to all SOIC own and managed computer systems.

Levels of Access

There are two security access levels on SOIC owned workstations and servers:

  • User Access – Gives the user the rights necessary to perform normal daily computing functions. The user access level will generally assure the highest level of stability for the workstation/server. All users are granted User Access to SOIC systems by default.
  • Privileged access (root, superuser, or administrator) – Gives the user full and unrestricted access rights on the workstation/server. This includes installing any hardware or software, editing the registry, managing the default access accounts, and changing file-level permissions. SOIC faculty, staff, or graduate students may request Privileged access to a workstation/server by submitting the Privileged Access Request form. Privileged access can be terminated at any time.

Risks & Assumptions

The assumption of Privileged Access on SOIC workstations and servers carries certain inherent responsibilities. Care must be taken due to the potential threat of compromise and compliance with Federal, State, and University regulations.

  • Data Security – SOIC computer users who are granted Privileged Access should be aware that using an account with these privileges makes the user computing environment extremely susceptible to spyware, viruses, and potentially damaging security breaches.
  • Regulatory Compliance – SOIC computer users who are granted Privileged Access are bound by Federal, State, and University regulations to protect sensitive data (classified as Critical, Restricted, and University-Internal [2]) from unauthorized use (FERPA, HIPAA, etc.).
  • Software Licensing & Copyright Laws – SOIC computer users who are granted Privileged Access should be aware of copyright restrictions and licenses placed on ALL software installed on their systems, as well as being aware that there exists severe criminal and civil penalties for noncompliance. University computer users do not have the authorization to agree to any software terms and conditions (e.g., End User License Agreements) on behalf of the SOIC or Indiana University. ALL software, regardless of license or cost, must be approved through the Software and Services Selection Process (SSSP) [2] before it is installed.

Privileged Access Request Process

SOIC faculty, staff, or graduate students may request privileged access to a specific workstation/server by submitting the Privileged Access Request form.

  • Step 1 – The faculty, staff, or graduate student completes the online Privileged Access Request Form and the request is be sent to the requestors suporvisor/faculty mentor for approval.
  • Step 2 – If the requestors/faculty approves the request, the SOIC IT Director or their assignee for approval.
  • Step 3 – If the SOIC IT Director or their assignee approves the request, a technology support request will be created and the SOIC Technology Services staff will coordinate the Privileged Access set up on the specified system.

Desktop Workstations Privileged Access Restrictions

  • Privileged access to workstations granted to students will be for a specific research purpose and will expire when no longer needed for that purpose.
  • Privileged access granted to faculty or staff members must be for a business/research purpose.
  • Privileged access will not be granted directly to a user’s primary IU account. Instead, it will be granted to a secondary “Group Account” [4] for elevation purposes.  As with other IU computing accounts, group accounts are considered private.  The user should not share the passphrase or allow others to use the account.
  • Users will comply with all restrictions listed in IU’s IT-12 policy [5].
  • Users may not change the passphrase for the Local Computer Administrator Account (usually “infoadmin” or “root”).  Users may not alter any permissions for the Local Computer Administrator Account.
  • Users may not modify any files except in designated user directories without the SOIC IT staff’s specific authorization. Specifically, no system configuration files may be modified unless expressly authorized.
  • Users may not use their privileged access to examine or modify the files of any other system users.
  • Users may not use their privileged access to grant other users privileged access to accounts on the system.
  • Users may not add or remove users from the system.
  • Users may not add or remove software and operating system components other than what than that with has been approved by .
  • Users may not in any way compromise the security of the system.

Special Purpose Research Computer/Server Privileged Access Restrictions

Privileged access to workstations/servers designated for special-purpose research may be granted to users of those systems.  Such special-purpose workstations/servers will not have any users’ home accounts or contain sensitive data (classified as Critical, Restricted, and University-Internal [2]). The faculty member responsible for the computer system and the IT staff will agree on mechanisms and policies governing privileged access.  If necessary, the IT staff may impose other restrictions on such systems to protect the computing facility’s security. All users granted privileged access must comply with the following:

  • Users will comply with all restrictions listed in IU’s IT-28 policy [6].
  • Users may not change the passphrase for the Local Computer Administrator Account (usually “infoadmin” or “root”).  Users may not alter any permissions for the Local Computer Administrator Account.
  • Users do not have permission to modify any files except in designated user directories without specific authorization from the SOIC IT staff.  Specifically, no system configuration files may be modified unless expressly authorized.
  • Users may not use their privileged access to examine or modify the files of any other system users.
  • Users may not add or remove users from the system.
  • Users may not give other people access to the privileged access account or grant privileged access to existing accounts.
  • Users may not add or remove software and operating system components other than what is approved by SOIC Technology Services staff.
  • Users may not in any way compromise the security of the system.

Enforcement

The SOIC Technology Services staff will conduct periodic audits of privileged access on SOIC owned and managed systems. Any user found in violation of University or SOIC IT policies may have their privileged access rights terminated.

Reference

[1] University-wide IT policies – https://informationsecurity.iu.edu/policies/index.html

[2] There are four classification levels of institutional data at Indiana University – https://datamanagement.iu.edu/types-of-data/classifications.php

[3] About the Software and Services Selection Process (SSSP) – https://kb.iu.edu/d/aoyl

[4] Group Accounts – https://access.iu.edu/accounts

[5] IT-12 – Security of Information Technology Resources – https://policies.iu.edu/policies/it-12-security-it-resources/index.html

[6] IT-28 – Cyber Risk Mitigation Responsibilities – https://policies.iu.edu/policies/it-28-cyber-risk-mitigation/index.html