Requesting Administrative Access for Your Customers

The purpose of this document is to support compliance with the UB Minimum Security Standards for Desktops, Laptops, Mobile, and Other Endpoint Devices, section 2.7 Limit Administrative Account Privileges. The goal of this standard is to protect the overall network and data environment at the university. It is expected that exceptions to these standards will be rare. It is the expectation that the default login for all university computers will be without local administrative access.

Each request for administrative privileges reflects a unique set of circumstances including, but not limited to:

• Classification of data available to the individual and/or classification of data on the device or machine
• Compensating controls
• Research, business, or operational purpose
• Device or machine specifications

Therefore, this document should be used as a guideline. It does not constitute official university policy.

• Managed machines are eligible for administrative access. Managed machines are defined as computers incorporated into the support model of the respective IT node.  This may include using Active Directory/Shibboleth accounts, incorporating the system into the patching and malware/antivirus systems of the node, and system management of nodes (JAMF Pro for Macs, Active Directory/SCCM for PCs).
• Old software that requires administrative privileges, especially found in programs that interface with an external device. In such cases we recommend running with a local admin account and/or with the computer off the network, if possible.
• Administrative privileges for interactive software development where researchers or companies they are working with are developing and installing new versions of software in system directories as part of their work. In these cases, the software code development should be completed with the device off the university network or it on the network without local administrative privileges. Utilities for administrative access should be used for the times when both local administrative access and university network connectivity is required.  
• Administrative privileges for systems used for teaching students in how to install operating systems, install software, or system administration tasks. In these cases, the software code development should be completed with the device off the university network, or, if on the university network without local administrative access. Utilities for administrative access should be used for the times when both local administrative access and university network connectivity is required.  
• Software such as real-time virus scanning might need to be disabled on systems doing real-time data acquisition due to interfering with timing.
• Automated patch management may need to be deferred to a manual process on systems where long-running tasks should not be interrupted by unexpected reboots after patching.
• A piece of hardware attached to a computer where the software/hardware need full administrative privileges to work properly. These devices should normally be off the university network or used without local administrative access. Utilities for administrative access should be used for the times when both local administrative access and university network connectivity is required.  
• Traveling to do research/field work. Temporary administrative privileges are given for the duration of the travel and then removed upon return to the University.
• Traveling to a conference. Temporary administrative privileges are given for the duration of the travel and then removed upon return to the University.
• Some custom programming and testing of programs may need administrative rights. These devices should normally be off the university network or used without local administrative access. Utilities for administrative access should be used for the times when both local administrative access and university network connectivity is required.  

Probably not. The majority of individuals do not need administrative privileges for day-to-day functions.

However, some individuals require administrative rights in order to complete tasks or to run specialized equipment or programs. In this case, individuals can obtain administrative rights in order to be granted temporarily elevated administrative privileges. These options are designed to meet the needs of individuals, while maintaining an appropriate information security posture.

See UB's current policies  

UB is committed to providing individuals with reliable, secure and user-friendly technology in stable operating condition. In order to address the needs of the faculty and staff, IT nodes provide administrative privileges for individuals who have demonstrated a need, understand the responsibilities associated with this special access, and obtained approval.

• User Agreement for Administrative Access Utility
• Email Template for Administrative Access Stipulations

• Changes to job role and responsibilities in such a way that administrative privileges are no longer required
• Non-compliance with terms and conditions
• Committing abuse, which includes but is not limited to: 
  • Downloading software that is malicious to the network 
  • Downloading unlicensed/illegal software 
  • Downloading copyrighted material without permission 
  • Downloading malware to your machine that are specifically attributed to the use of administrative rights  
  • Causing a breach of Category 1 or Category 2 data
  • Interfering with patches, upgrades or malware scans