Application - Desktop Computer Admin Rights
Who can request administrative rights?
On administrative computers, a user requires special administrative rights to:
- Install software
- Modify system settings
-
Manage user profile
These tasks are restricted by default since they can have a profound impact on the stability and usability of a computer. Industry best practices have guided the Information Technology Services (ITS) implementation of the procedure to restrict the use of administrative rights. Mount Royal University administrative computers by default are restricted to a least privilege principle mode for user accounts. This principle implemented by the university follows guideline BC.12.1 recommended by the federal government as a part of it's Baseline Cyber Security Controls for Small and Medium Organizations.
BC.12.1 Organizations should provision accounts with the minimum functionality necessary for tasks and in particular should restrict administrator privileges to an as-required basis. Organizations should remove accounts and/or functionality when employees no longer require it for their tasks
Under certain circumstances, administrative rights may be assigned to faculty and staff on a limited-term basis to perform tasks within the scope of their employment. Users who have a defined business case may apply for the privilege of being assigned administrative rights on their computer.
Note: All faculty/staff assigned a laptop will be automatically granted administrative rights.
Technical support for administrative rights
The ITS department will continue to provide Microsoft system patches, supported application software patches, and antivirus updates through the network client management platform to all university workstations. University computer users must not block or in any manner, disable or revise any services on the workstation that may prevent these and other routine maintenance procedures.
ITS will not be able to restore a configuration customized by the user. In the event of a computer failure, the ITS Office Computing Services (OCS) will restore the original base image on the computer.
The base image includes the typical Microsoft Windows operating system and any software maintained by the ITS department. All documents that are synchronized to the network server will be restored if possible. All university issued desktop machines must be administered in accordance with MRU accepted configurations, and all computers must:
- Be joined to the MRU Active Directory domain
- Have remote management client software installed to facilitate administration and upgrades
- Have active endpoint protection software
- Have service packs and patches as deployed by IT Services
Note: Network monitoring and intrusion detection are performed as deemed necessary and appropriate by ITS Infrastructure and Security staff.
Administrative rights can be revoked
If a user abuses his/her administrative access, ITS will revoke this access immediately and will restore the original base image on the computer. Abuse is defined as, but not limited to: downloading software that is malicious to the MRU network
- Downloading unlicensed/illegal software
- Downloading viruses or Trojans to the MRU network that are specifically attributed to user software installations/downloads
- Tampering with existing system image configured security and maintenance measures
Administrative rights application
For audit purposes, the university must have on file documentation showing that administrative rights have been applied for and approved by IT Services.
If a university employee, would like to apply for administrative rights, they must follow these steps:
- Complete and sign the Application for Administrative Rights Request Form
-
Submit the form to ITS via a Footprints Service Request ticket with the form attached
Note:
- The application form is reviewed and a response is provided by IT Services
-
Approved applications are valid for a term of up to four years or when primary assigned computer is physically changed whichever may occur first (applicants may elect to reapply for rights at that time)