Workstation Administrative Rights

Most modern computer systems follow the principle of least privilege. This means that in normal circumstances, you'll use a regular or standard account, and not an admin account (or an account with escalated privileges). There are several reasons for this:

1. Improved overall security

2. Better system stability

3. Compliance with State, University System, and University regulations.
   
   

CyberArk

In the School of Architecture, we use a product called CyberArk to help us manage admin rights. When a task requires administrative privileges (such as installing an application or updating a printer driver), CyberArk intercepts the action and can grant the access needed without a password from the user (this is called privilege escalation), depending if the application is whitelisted or blacklisted.  In most cases, this process happens behind the scenes and is never even noticed. In a small number of cases, CyberArk will ask for more information about the program and submit a request that will be reviewed by the Technology Services - Architecture staff.

Jamf

Jamf is an efficient device management tool used across the university to manage a variety of Apple products, such as iMacs, MacBooks, iPads, and more. With the recent updates implemented in 2023, Jamf has further expanded its capabilities, providing individuals with monitored admin access to most Apple devices. This means that administrators can now supervise and control the activities of users with admin privileges, ensuring the safe and secure functioning of the devices. Furthermore, the update has enhanced the user experience by providing greater flexibility and ease of use, making device management more efficient and effective.

Responsibilities

Using accounts with administrative privileges on University assets carries increased responsibility. There are additional risks associated with potential data loss, software licensing and copyright issues, and regulatory compliance:

• Data loss: Users with administrative rights are solely responsible for any data stored locally on the computer and providing a backup mechanism to protect against potential data loss. Failure to implement a backup mechanism can result in permanent loss of data.

• Computer security: Executing code using administrative privileges is inherently risky. A seemingly benign action (such as opening an email or visiting a web page) has the potential to infect and compromise a computer because of the elevated privileges. Users with administrative rights must exercise great care while using credentials with elevated access and agree to use the account with the minimal privileges necessary for each task (AC–5). In order to increase the security of elevated accounts, the following changes are required to be made to the user’s NetID:

  • Enable supported two-factor authentication (Duo 2FA) on the NetID account.

  • Disable over-the-phone password resets for the NetID account.

  • Enable self-service password resets for the NetID account.

• License compliance: It is imperative that users with administrative privileges have a thorough understanding of the copyright restrictions and licenses pertaining to all software installed on their systems, as stated in CM-11 and TAMUS-29.01.02. Non-compliance with these regulations may incur severe criminal and civil penalties. Therefore, it is recommended that administrative users obtain the necessary knowledge and training to ensure legal compliance and avoid any potential legal ramifications.

• Accessibility regulations: Both State law and TAMU Rules require all software installations on university assets to adhere to rigorous accessibility guidelines (TAMUS–29.01.04; TAC–213.30). This also applies to administrative software installations.

• Audit and compliance: Texas A&M University System rules require that we perform annual information security risk assessments (TAMUS–29.01.03). Users with administrative rights will be required to assist college IT staff with this process in order to maintain administrative access to those systems. 
  
  

Delegation

In a university environment, the person who is in charge of a computer system (known as the "information resource owner" at Texas A&M) may not always be able to manage it personally. In such cases, they may delegate authority to another team member directly involved in the project or lab to which the computer system belongs. However, the resource owner who delegates this authority remains ultimately responsible for any actions taken by the team member to whom they have delegated administrative rights.

Support

Administrative accounts have an unrestricted nature that creates the potential for unexpected consequences. Problems that arise can be complex, and since Technology Services may not have a complete record of administrative actions on Windows Machines, there is a possibility that we may only partially resolve issues within a reasonable time frame. Due to limited resources, the school cannot spend a significant amount of time on a single issue. In the event that an issue cannot be resolved within a reasonable time, Technology Services - Architecture will offer to restore the system to its base configuration as originally delivered to the customer.

Please note that Technology Services is not responsible for any data stored locally on the system. Individuals with administrative rights assume responsibility for locally stored data and must ensure that there is a backup mechanism to restore the data in accordance with TAMU data classification rules (RA–2). Additionally, Technology Services - Architecture is not responsible for restoring software installed on the system by users with administrative rights. In these cases, the customer is responsible for licensing management and software configuration.

Consequences for Misuse

Misusing computer systems intentionally is strictly prohibited by University Rule 29.01.03.M2. Engaging in such behavior can lead to disciplinary action and even criminal prosecution. It is important to know that having administrative access to a system can hold you to a higher standard of conduct due to the potential for significant harm. Administrative access has the potential to cause severe consequences even with small actions. A mistake made on a single computer system can have repercussions that affect the entire college.

Here are some of the potential consequences of misusing administrative access:

• Data loss: If a command is executed with administrative access, it may not provide the opportunity to confirm an action and may not be reversible if a mistake is made. This can lead to inadvertent, permanent data loss.

• Criminal or civil penalties: Improperly licensed software can result in criminal or civil penalties, even if the license violation was unintentional (CM–11; TAMUS–29.01.02).

• Loss of connectivity: The Texas A&M networking group has the authority to disconnect a compromised host from the network unilaterally in the event of a malware-compromised computer. In some cases, entire buildings have been isolated from the network due to a single infected computer.

• Loss of administrative privileges: If the actions of a user with administrative privileges create significant risks to the school, the administrative rights may be revoked.

Request

To request admin rights, you will need to fill out a form after carefully reading and comprehending the terms and conditions. For further assistance, please get in touch with Technology Services - Architecture.