Skip Navigation

Southern Oregon University

Information Technology

Workstation Elevated Permissions Authorization & Procedures

Overview

This document establishes guidelines for SOU workforce members who have been granted elevated permissions on their provided workstation(s). This is to ensure SOU confidential information and technologies are not compromised, that production services and other SOU interests are protected from user activities, and there is an understanding about support of their workstation. Additionally, the agreement provides guidance to ensure the requirements for elevated permissions are met.

Securing Computing Resources 

IT Best Practices suggests and Oregon University System’s Internal Audit Division has requested user accounts be granted the minimum permissions required to perform the task at hand. In a Microsoft Windows environment this is the "Standard User" permissions. While this is a very effective means of increasing the security and reliability of computing resources it can prevent some legitimate uses such as installing software not written to operate properly for a standard user or when frequently adding and removing hardware devices. While alternate solutions are often possible workstation elevated permissions are sometimes the preferred solution.

Responsibilities of Having Elevated Permissions

Appropriate measures must be taken when using workstation(s) with elevated permissions to ensure the confidentiality, integrity and availability of sensitive information, including protected SOU information and access to sensitive information is restricted to authorized users. Additionally, the workforce member is fully responsible for any and all information stored on their SOU-provided device, including but not limited to, software, hardware, account information, stored passwords, and web browser/memory/application data.

SOU workforce members using workstations with elevated permissions shall consider the sensitivity of the information that may be accessed and minimize the possibility of unauthorized access. SOU will no longer be held liable for the disabling of physical and technical safeguards for all workstations that access electronic information to restrict access to authorized users.

Workforce member responsibilities include, but are not limited to:

  • Complying with the SOU Computing Resources Acceptable Use Policy.
  • Restricting physical access to workstations to only authorized personnel.
  • Securing workstations (screen lock or log-out) prior to leaving area to prevent unauthorized access.
  • Enabling a password-protected screen saver with a short timeout period to ensure that workstations that were left unsecured will be protected.
  • Complying with all applicable password policies and procedures.
  • Ensuring workstations are used for authorized business purposes only.
  • Never installing unfamiliar or suspicions software on workstations.
  • Storing all sensitive information on secure, SOU-provided network servers.
  • Securing laptops containing sensitivity information by using cable locks or in lockable drawers or cabinets.
  • Ensuring workstations are still capable of receiving SOU-provided updates, upgrades, and installations.

Workforce members granted elevated right should understand support may be limited in some cases of extreme workstation divergence from standard configurations. This may limit assistance from the Information Technology department and may wave applicable service level agreements.

Any workforce member found to have violated these guidelines may be subject to disciplinary action, revocation of elevated permissions and up to and including termination of employment.

Examples of Elevated Permissions

The following is a list of common scenarios when elevated permissions are recommended:

Infrequent Software Installs:An administrative user account can be supplied to respond to one time needs to respond to a request for elevated permissions. The account can not be used for log in and the password is changed on a daily basis. The most common use for this is infrequent software installation or software updates that require an administrative account.

Applications Requiring Administrative Rights:IT is unable to make an application run properly with standard user permissions. If the application will be used by an individual they will be made an administrative user on their computer. If the application will be used in a class, the members of the CRN will be made administrative users on the computers in the lab where the class is taught.

Frequent Software Installation/Maintenance:For individuals who have a frequent need to install software on their computer or for a group of computers a second administrative account can be created that will be given administrative permissions on all the necessary computers. This account is only used to perform software installations. The individual uses their standard user account for day-to-day activities.

Glossary

Administrative User: The least restrictive user security model. User is able to install any software and make configuration changes. Computer has very little protection from unintended changes or software installations including viruses and malware.

Elevated Permissions : Users granted "Local Administrator" permissions on a Microsoft Windows device have unrestricted access to the operating system and date storage. They can create, delete and modify any of the files or folders on the computer, as well as, change any settings. This level of access is typically reserved for IT system administrators.

Standard User: The most restrictive (secure) user security model. Users can install software written to work properly with the standard user security model.

Workforce Members: employees, volunteers, trainees and other persons under the direct control of SOU.

Workstations: laptops, desktops, PDAs, servers, cellular phones, and computer based equipment containing or accessing information and authorized workstations accessing the SOU network.