Campus Technology Services

In the context of this site, "user privileges" are defined as the level of access granted to the operator of a campus-owned computer.  Numerous aspects of computing are affected by the level of privilege; for example: installing or upgrading software, installing new devices, or modifying system settings. Currently, there are a considerable number of campus-owned computers configured with administrative privileges rendering  them vulnerable  to damage by malicious software.

Campus Technology Services is working to transition faculty and staff computers to an improved security model referred to as "best user privilege."

What is "best user privilege"?

It is a security principle that ensures users are given the most appropriate set of system privileges needed for performance of authorized tasks. Prominent software vendors (such as Microsoft) and federal goverment offices (such as the Defense Department) have endorsed this model as a "best practice" to reduce system damage from accidents, errors, or unauthorized use.

I'm used to having full administrator control of my computer. Why this change?

In recent years, malicious attacks on computer and network systems have increased worldwide. They include the installation of malware, harvesting of institutional data, and intellectual property theft. Most campus-owned computers were configured to allow users administrator control at a time when these attacks were less sophisticated, -- and their affects not as far-reaching. The number and frequency of these threats will never diminish. Thus, we must take proactive measures to reduce our exposure. There are simply too many vulnerabilities and risks associated with having unfettered access to a computer's operating system.

Best user privilege is an acknowledged industry practice for reducing security risks associated with excessively high privilege levels. A 2009 study conducted by BeyondTrust indicated that a majority of threats posed by that year's reported Microsoft security vulnerabilities could be mitigated by implementing best user privilege principles.

In addition to strengthening our campus' security, adhering to these principles also helps reduce the strain on our limited resources that are often sidetracked into combatting the afteraffects of breaches in our desktop systems' integrity.

How will best user privilege affect my daily work routine?

For the vast majority of users, the impact will not be noticeable. Best user privilege is designed to allow users to perform normal business functions uninhibited. However, users will have limited ability to install software or modify core system settings. While at first glance this may seem restrictive, keep in mind the majority of daily work-related computer operations do not require elevated privileges -- few individuals need to install or update applications regularly.

How can software be installed or upgraded on my computer ?

There are several ways this can be accomplished:

• If the software is listed as available in the LANDesk Desktop Manager application, you will be able to install it yourself without need for CTS assistance.
• If the software is unavailable in the Desktop Manager, you can contact the Technology Support Center at x3456 to request a software install. We can then either deploy the software using LANDesk or access your computer remotely to assist you with the installation. If the computer is a laptop, it can be dropped off to the Technology Support Center office.
• If you believe your specific circumstances warrant either temporary or permanent elevation of your user privileges, you can submit a request for elevated rights.

We are also utilizing other tools to allow users to update commonly-used software and manage certain system items without need for elevated privileges.

When will these changes take place?
These changes are taking place now.  Computers are being reconfigured as the project to replace desktop phones with new Voice over IP (VoIP) phones continues.  Basically, if you have a new VoIP phone in your office, your machine has already had these changes implemented.  If you have not received a new VoIP phone, the changes to your computer will take place at the time the new phone is installed.