Least Priviledged access management for the OIT Managed Desktop Service


This document outlines the practices followed by the OIT Managed Desktop Support service for least privileged access, and is intended for customers of the OIT Managed Desktop Support service to use for reference pertaining to services received.  

 

Table of Contents

 

 

 

Information

 

The principle of least privilege is an important concept in computer security, promoting minimal user profile privileges on computers, based on users' job necessities. This helps reduce the "attack surface" of the computer by eliminating unnecessary privileges that can result in network exploits and computer compromises. You can apply this principle to the computers you work on by ordinarily operating without administrative rights.
 
Section 10.1.9 of the NC State Endpoint Protection Standard defines Least Privilege Access as:
 
"Configuring hosts to provide only the minimum rights to the appropriate users, processes, and hosts; provide everyone with everything they need to do what they are supposed to do, and nothing more." 
Privileged access enables an individual to take actions that may affect computing systems, network communication, or the accounts, files, data or processes of other users. Proper controls are required to mitigate the increased risk of working with elevated privileges.  
 

Policy

As a rule, the OIT Managed Desktop Service provides no Privileged Access in the operating system to desktop endpoint users. Exceptions are granted on a case-by-case basis upon request and approval by OIT and management in the supported unit.  
 
Privileged Access beyond Standard Access are typically granted to system and network administrators as well as staff performing system/computer account administration or other such employees whose job duties require special privileges over a computing system or network. A privileged access user could be a university employee, LANTech, a contractor, or a vendor engaged by the university.
 
Privileged Access Requests must be: 
  • Documented in ServiceNow ticket with a demonstrable technical or business process need provided by the requester.
  • Approved by OIT and the supported unit's management.
  • Revoked upon notification of role or employment status change. 

Access Types  

  • Standard Access - The default user account in the OIT Managed Desktop environment is given no elevated privileges. A Standard Access account restricts the changes you can make to your computer; it also limits what an attacker can do.   
  • LANTech Privileged Access - Access to all computers in the supported unit's OU via "Computer Admins" group for the OU. This level of Privileged Access is granted to the assigned LANTech for use in troubleshooting or resolving common issues such as the need to assist end-users in their department with immediate software installation. 
  • IT Staff Privileged Access - Access via ".admin" accounts for use in ADUC and the SCCM console.  Only available to staff in technical positions where use of Active Directory and the console are required for their daily work. Students working in technical roles do not qualify.  

Process

Privileged Access Request 

To obtain Privileged Access beyond Standard Access the manager of record for the person requesting access must submit a ticket to the NC State Help Desk with the following information:
 
  • Short Description (Subject line): "Privileged Access Request". 
  • Description: Must include:
    • Employee Information: Name, Unity ID, and Title of the employee for whom Privileged Access is requested.
    • Manager Information: Name, Unity ID, and Title of the manager submitting and approving the request.
    • Access Type: Include the Access Type requested.
      • .admin account request only.
    • Business Justification - Describe the type of work and use case (business need) for which the employee needs elevated privileges.
      • Note: Periodic, non-emergent needs that can be met by submitting a request to the OIT Managed Desktop Service do not qualify. AdminByRequest license is $30 per device, and will be reviewed on submission. 
    • Period of Access - Depending on the type of access requested, there will be various time limitations for Privileged Access.
      • LANTech Privileged Access and IT Staff Privileged Access are for one year maximum and will be reviewed annually. 

Annual Renewal

Since an individual's role or responsibilities change, and staff move to other departments, the same level of elevated privileges may not be necessary. The OIT Managed Desktop Service will conduct an annual audit of Privileged Access Rights for each Organizational Unit (OU), starting in the 2020-2021 fiscal year, and request that our customers provide business case justification for continued elevated privileges.  

Using Privileged Access

University Policy & Regulation Adherence  

Use of Privileged Access requires compliance, and non-interference, with the following NC State Policies and Regulations:
 

Privacy & Protection of Data 

Individuals with Privileged Access must respect the rights of the system users, respect the integrity of the systems and related physical resources, and comply with all relevant laws, policies, and regulations. In all cases, access to other individuals’ electronic information shall be limited to the least perusal of contents and the least action necessary to resolve a situation. Individuals also have an obligation to keep themselves informed regarding any procedures, business practices and operational guidelines pertaining to the activities of their local department. 

Use “As Necessary”  

Every user of the system should operate using the least set of privileges necessary to complete the task. This principle limits the damage that can result from an accident or error.

  • Users with ".admin" accounts should only use them to elevate privileges and cannot use them as the primary account used to login to endpoints for everyday work.
    • Both Microsoft and Apple state that having individuals use non-administrative accounts as the primary way to log into the computer alleviates most dangers to computer security. This limits the controls in which an invasive program might be able to corrupt the computer. 
  • Privileged Access use must be reserved for tasks that require the use of elevated privileges.
    • If methods other than using Privileged Access will accomplish a task, those other methods must be used.
  • If a Privileged Access user must submit data or access a system as an end-user, traditional means must be used to submit data or access a system.
    • i.e. If a System Administrator must submit their annual benefit elections, they must do so as a normal user and not through Privileged Access not available to other users.

 

Escalation

 

All questions on policy should be escalated to NCSU OIT Security and Compliance. All questions pertaining to this document or process can be escalated to the OIT_DESKTOP_SUPPORT leadership. 

 

 

Related Documentation

 

https://policies.ncsu.edu/rule/rul-08-00-18/#Least_Privilege_Access
https://cybersecurity.ncsu.edu/
https://policies.ncsu.edu/policy/
https://policies.ncsu.edu/regulation/
https://policies.ncsu.edu/rule/
https://www.verizon.com/business/resources/T6d3/reports/2023-dbir-executive-summary.pdf
 

 

Title: Privileged Access Policy & Process for the OIT Managed Desktop Service 
Service: Security Policy & Compliance
Template if applicable: NA
Assignment Group(s): OIT_DESKTOP_SUPPORT
Document Owner: OIT_DESKTOP_SUPPORT
Available Priorities: Critical, High, Medium, Low
Keywords: Least Privilege Access, Endpoint Protection Standard, policy, OIT Managed Desktop Service, security, Privileged Access policy, OIT Managed Desktop Service Privileged Access Policy, endpoint security, regulations, how to get admin access, elevated privileges, administrative access, admin rights, administrative rights, how to get admin rights, .admin, LANTech admin rights,