Device Administrative Accounts

A new policy in the Information Resources Use and Security Policy documentation has been established by the ISO regarding administrative accounts for all university-owned devices (e.g., laptops, desktops, tablets, servers).

5.4.7. This section to be made effective on September 01, 2015 so as to allow the campus time to plan and transition. When access to a university-owned IT device’s administrative account is required by someone other than an IT Support Staff member, the following exception criteria must apply:

5.4.7.1. Individuals must annually complete the Acceptable Use Policy form ;

5.4.7.2. Individuals must only use the administrative account for special administrative functions and default to a lower privileged user account for other day-to-day use;

5.4.7.3. Individuals must review the following training materials, How not to Login as Administrator (and still get your job done);

5.4.7.4. IT System Custodians are required to periodically review the use of administrative account exceptions.

5.4.7.4.1. IT System Custodians will remove any administrative accounts that go unused or are no longer required; and

5.4.7.4.2. IT System Custodians are required to raise inappropriate use to management (e.g., staying logged in with the administrative account longer than needed).

Important

We ask the following after we have completed the changes on the device

  • Please do not remove the sysnet administrative account.

  • Please do not add yourself as an adiminstrator on your account

  • Do not unencrypt the device if it has been encrypted.

  • At any time, Sysnet reserves the right to audit devices for compliance.

FAQ

What are UT owned devices?

  • All laptops and desktops purchased with the Institute’s funds that are not managed by Sysnet will need to have an administrative account set by Sysnet.

  • All laptops and desktops that are located off campus will need to have an administrative account set by Sysnet.

If unsure, please submit a help request to RT with the UT tag number.

User’s administrative rights will be revoked. When a user needs to install software, apply updates, or any perfom any administrative function, the user will need to use the administrative account. The administrative account password will initially be set by Sysnet and shared in stache. To access stache, use your UT EID credentials.

Does this apply to tablets and mobile devices?

This policy does not apply to mobile and tablet devices such as iPads and Android tablets. Surface and other tablets that run a full Windows OS are subject to this policy.

When can I bring my device in?

We will begin taking devices beginning Monday, August 3, 2015. It’s generally recommended to submit a help request to RT before dropping it off.

How long will this take?

If your laptop or desktop does not need an upgrade, the process can be done the same day provided it is brought to us before noon. If you are requesting a laptop to be upgraded, the process could take up to 24 hours. It’s a good idea to schedule an upgrade through RT.

Can I do this myself?

We will allow the end user to make the changes to their account on the device if they can demonstrate to Sysnet that they have met the criteria as explained in section 5.4.7 above. We will request verification that a Position of Special Trust has been submitted and show the user accounts on the device(s) have been updated as requested.

Why is this mandatory?

These are policies set forth by the ISO and amended to the IRUSP. An explanation of why this is good from a security view is explained in How not to Login as Administrator (and still get your job done).

What about my desktop at home?

We will handle these cases individually. Ideally we would like to retrieve these devices so we can effectively modify the accounts and perform updates if necessary. Sysnet does not make house calls.

Can you upgrade my laptop or desktop?

Yes! Sysnet strongly recommends upgrading Mac OSX installations prior to 10.10.3 due to a vulnerabilty called Rootpipe. We will wipe, re-install, and encrypt devices that can support newer versions of OSX. More information about the exploit can be read at the link below:

https://threatpost.com/older-versions-of-os-x-remain-vulnerable-to-rootpipe-hidden-backdoor-api/112105

This process could take a full business day to complete. If you do request to have your laptop upgraded, please peform a backup of your data. Before we begin upgrading, Sysnet will peform a backup and then restore after the upgrade.

Acceptable Use Policy

The Position of Special Trust form was retired for an Acceptable Use Policy acknowledgement form. This must be completed annually. More about this policy can be found in the Acceptable Use Policy .

Exceptions

There are no exceptions to this policy. This policy is structured so it allows users to continue to have some administrative function to their device without impeding work.