In normal day-to-day work, workstation administrative privileges are rarely required. Routine tasks that do not require administrative access should be executed using unprivileged user accounts.
If administrative access to workstations is needed, DoIT Support customers can call 264-HELP (4357), Option 5 to receive immediate assistance over the phone during normal business hours (M-F 7:45 AM – 5:00 PM).
Some DoIT Support customers have a legitimate need for administrative privileges on workstations. For instance, administrative privileges may be useful to install and maintain non-standard software packages, perform certain computer management tasks outside the scope of DoIT Support or even launch certain software packages. Only users who have a legitimate need should be granted administrative access by following IT Security best practices.
The Departmental IT Security Baseline established by the UW-Madison Office of Cybersecurity outlines baseline requirements to create a minimally acceptable security standard for all IT Departments across campus. In order to maintain the integrity of secure workstation systems, DoIT Support adheres to these baseline requirements for supported customers.
The Access Control Requirement section lists an established set of best practices regarding local administrative privileges to workstations. These practices include:
- Users do not have local administrative privileges unless an exception is made by the department head, documented and reviewed annually.
- Privileged access to administrative systems needs to be documented and reviewed annually.
- System Administrators do not use Administrative accounts for general purpose computing.
- First-time passwords are set to a unique value for each user, and must be immediately changed upon first use.
- Reset passwords are set to a unique value for each user, and must be immediately changed upon first use.
Administrative privileges are granted by an approval process of which the requestor and their manager read and understand administrative privileges account responsibilities. Requirements for approval are based on conditions listed below:
- Technical Support or Systems Administrator Role – Customers or support personnel that have IT support or systems administrator related tasks outlined within their position description or expected job duties.
- Life Safety Role – Customers who work in a position that works with safety/emergency systems and their role prevents the loss of life and limb as well as the safety of the campus community.
- Non-Standard Software Required – DoIT Support customer is required by their manager to use a piece of software that requires administrative privileges to run or is outside the list of standard software patched on a monthly basis by DoIT Support. The DoIT Support customer is responsible for maintaining an appropriate patch level for the software that meets functional and security requirements.
- DoIT support customer, as part onboarding process or during normal work, identifies the need for administrative privileges.
- DoIT Support customer fills out request form to obtain administrative privileges.
- Administrative access request is approved by their manager or approved authority.
- DoIT Support team receives request and works to provision an account that has administrative access on the requestor’s workstation within 3 business days.
Due to the evolving nature of technology and the changing roles of users at the university all requests for Administrative Privileges will be reviewed on an annual basis. This review will verify that the need stated in the request is still valid and/or that the employee still requires the approved access.
Users who are granted administrative privileges must understand and agree to the administrative privileges account responsibilities statement when filling out the request form.
Decisions to revoke user administrative privileges will be made collaboratively by DoIT Support Service Leaders in conjunction with unit leaders. Administrative privileges will be revoked for the following:
- DoIT Support Customer no longer meets the requirements for obtaining administrative access
- DoIT Support Customer demonstrates unsafe practices while using administrative privileges (i.e. uninstalling security or inventory management software, using provided administrative account in normal day-to-day work)
- DoIT Support Customer requires excessive support from DoIT Support staff as a result of having administrative privileges
- DoIT Support Customer is involved in a cyber security incident that is directly related to their having administrative privileges
- DoIT Support Customer violates the terms of the agreement below
DoIT Support customers can appeal and request reinstatement of previously granted administrative privileges using the appeal process.
Customers who have had their access revoked may contact DoIT to have their case reviewed.
To obtain more information on requesting local admin and to have an on-site consultation, please use the form below.