Campus Technology Services

Taking Steps for the Future

In the context of this site, "user privileges" are defined as the level of access granted to the operator of a campus-owned computer.  Numerous aspects of computing are affected by the level of privilege; for example: installing or upgrading software, installing new devices, or modifying system settings. Currently, there are a considerable number of campus-owned computers configured with administrative privileges rendering  them vulnerable  to damage by malicious software.

In response to these potential risks to security and system integrity, Campus Technology Services has adopted an improved security model commonly referred to as "least user privilege."

What is "least user privilege"?

It is a security principle that ensures users are given the most appropriate level of system privileges needed for daily work. Prominent software vendors (such as Microsoft) and federal goverment offices (such as the Defense Department) have endorsed this model as a "best practice" to reduce system damage from accidents, errors, or unauthorized use.

I'm used to having full administrator control of my computer. Why this change?

In recent years, malicious attacks on computer and network systems have increased worldwide. These include installation of malware, harvesting of institutional data, and intellectual property theft. Most campus-owned computers were configured to allow users administrator control at a time when these attacks were less sophisticated, -- and their affects not as far-reaching. The number and frequency of these threats will never diminish. Thus, we must take proactive measures to reduce risk.

Least user privilege is an acknowledged industry practice for reducing security risks associated with excessively high privilege levels. A 2009 study conducted by BeyondTrust indicated that a majority of threats posed by that year's reported Microsoft security vulnerabilities could be mitigated simply by implementing least user privilege.

In addition to strengthening security, adhering to these principles reduces the amount of time desktop technicians spend on recovery from unsecured computing -- freeing those resources to address the needs of your departments.

How will least user privilege affect my daily work routine?

For the vast majority of users, the impact will be negligible. Least user privilege is designed to allow users to perform common computer functions uninhibited. However, users will have limited ability to install software or modify important system settings. While at first glance this sounds restrictive, keep in mind the majority of routine computer operations do not require elevation.

How can software be installed or upgraded on my computer ?

There are several ways this can be accomplished:

  • If the software is listed as available in the LANDesk Desktop Manager application, you will be able to install it yourself without need for elevation.
  • If the software is unavailable in the LANDeskDesktop Manager, contact the Help Desk at x3456 to request a software install. We can then either deploy the software using LANDesk or access your computer remotely to assist you with the installation. If the computer is a laptop, it can be dropped off to the Help Desk office in 26 Lanigan Hall.
  • If you believe your specific circumstances warrant a permanent elevation of your user privileges, you can submit a request for elevated rights.

We are also utilizing other tools to allow users to update commonly-used software and manage certain system items without need for elevated privileges.