Enhanced PC User Privilege Procedure

As part of IT Services’ initiative to reduce the attack surface and improve our security posture, IT Services utilizes an application called Admin By Request to provide enhanced PC privileges. This application manages privileged access on IUP desktop and laptop systems. By using the application, privileged access rights or permissions are granted for the specific time period they are needed. When the task is completed, the access is removed. 

This approach is designed to minimize the risk of misuse or exploitation by attackers of prenatally exposed privileges.

When a user has appropriate access and the application is deployed, Admin By Request runs in the background. The program is in the system tray at the right corner of your computer. To invoke admin privileges at any time, right-click on the icon and select Request administrator access.

Rationale for Procedure

The university reserves the right to determine the level of user access granted to university-owned desktops and laptops. IUP aligns its practices with industry best practices as articulated in various standards, such as the 20 Critical Security Controls from the SANS Institute. As per the Controls, it is vital to “Minimize administrative privileges and only use administrative accounts when they are required.” 

In general, the university limits such access to information technology (IT) staff specifically trained to perform these duties in a manner that helps protect sensitive university assets while supporting vital academic freedom principles (instruction, research, scholarly activity, etc.) without an undue burden.

However, situations exist in which the user who is assigned a university-owned desktop or laptop also requires enhanced privileges. The following process is for users to request enhanced privileges. Situations involving shared desktops or laptops, such as computer labs, are beyond the scope of this process.

Activation, Compliance, and Revocation

IT Services’ Enterprise Systems will retain authority to intervene in system and patch management, which includes the base software inventory.

The university will not accept responsibility for patching software that the user installed locally or for license compliance related to such software. If the request for enhanced privileges is approved, please keep in mind that the user will be responsible for updating any additional software installed on this PC apart from the base PC install. If vulnerabilities are found with such software, the user will be responsible for bringing the computer into compliance.

Privileges will be revoked if the PC is compromised and investigation leads to any additional software being the cause.

IT Services retains the responsibility and authority for directing security-related and inventory scans (sensitive data, unpatched software, unsecured system configurations, lack of updated/operating antivirus software, etc.) as well as performing event logging analysis. Desktop or laptop network connectivity can be temporarily suspended until the user can bring the computer into compliance, in keeping with past practice.

The respective vice president or their designee can direct Enterprise Systems to revoke the enhanced privileges as they deem appropriate. The user will be given a written explanation for the revocation.

By submitting this request via ihelp, you agree to comply with the policies established on this page. Submitting the request will require you to log in to ihelp.

Process

1. To submit your request, collect the following information. The request must include these items:

   1. the PC number

   2. the reason for the request

   3. whether this is Temporary or Permanent access

2. Submit an ihelp ticket with this information.

3. This ihelp ticket will be routed to the Enterprise Systems group for review.

4. Enterprise Systems will review the request and engage other IT Services staff members as appropriate to determine the best alternative that balances user needs with the university’s interests in following account management best practices.

5. Enterprise Systems will inform the user of the resolution, and the assigned IT Services staff person will set up the desktop or laptop accordingly. In cases where the user does not agree with the resolution, the respective vice president or their designee will review and determine the appropriate action.

6. If you have any questions, you will be able to update your ihelp ticket.