Requesting Administrative Access for Your Customers

On this page:

Disclaimer

The purpose of this document is to support compliance with the UB Minimum Security Standards for Desktops, Laptops, Mobile, and Other Endpoint Devices, section 2.7 Limit Administrative Account Privileges. The goal of this standard is to protect the overall network and data environment at the university. It is expected that exceptions to these standards will be rare. It is the expectation that the default login for all university computers will be without local administrative access.

Each request for administrative privileges reflect a unique set of circumstances including, but not limited to:

  • Classification of data available to the individual and/or classification of data on the device or machine
  • Compensating controls
  • Research, business, or operational purpose
  • Device or machine specifications

Therefore, this document should be used as a guideline. It does not constitute official university policy.

Requests for administrative privileges that are likely to be approved

  • Old software that requires administrative privileges, especially found in programs that interface with an external device. In such cases we recommend running with a local admin account and/or with the computer off the network, if possible.
  • Administrative privileges for interactive software development where researchers or companies they are working with are developing and installing new versions of software in system directories as part of their work. In these cases, the software code development should be completed with the device off the university network or it on the network without local administrative privileges. Utilities for administrative access should be used for the times when both local administrative access and university network connectivity is required.  
  • Administrative privileges for systems used for teaching students in how to install operating systems, install software, or system administration tasks. In these cases, the software code development should be completed with the device off the university network, or, if on the university network without local administrative access. Utilities for administrative access should be used for the times when both local administrative access and university network connectivity is required.  
  • Software such as Symantec's real-time virus scanning might need to be disabled on systems doing real-time data acquisition due to interfering with timing.
  • Automated patch management may need to be deferred to a manual process on systems where long-running tasks should not be interrupted by unexpected reboots after patching.
  • A piece of hardware attached to a computer where the software/hardware need full administrative privileges to work properly. These devices should normally be off the university network or used without local administrative access. Utilities for administrative access should be used for the times when both local administrative access and university network connectivity is required.  
  • Traveling to do research/field work. Temporary administrative privileges are given for the duration of the travel and then removed upon return to the University.
  • Traveling to a conference. Temporary administrative privileges are given for the duration of the travel and then removed upon return to the University.
  • Some custom programming and testing of programs may need administrative rights. These devices should normally be off the university network or used without local administrative access. Utilities for administrative access should be used for the times when both local administrative access and university network connectivity is required.  

Related documents

Still need help?

Contact the UBIT Help Center.