Elevated Rights - Privilege Guard
By default, DCU staff are not given administrative rights to install software on their machines. Restricting blanket administrative rights is one of the most effective options for improving device and network security - should a computer be compromised in any way, it should only affect the current user rather than the entire system. Restricting administrative rights also allows ISS to maintain an accurate baseline of installed systems, cutting down on the number of support issues due to unknown/unsupported system configurations. DCU and ISS operate in a regulatory framework that necessitates ISS having an element of control and visibility over our ICT infrastructure for auditing purposes.
However, ISS recognise that there are many cases where administrative rights are required - installing and patching software, configuring certain windows functionality, and poorly written legacy software that requires administrative access to run. In mitigating these cases, ISS will endeavour to follow the principle of least privilege - that is, users should carry out their work using the least amount of security privilege to complete these tasks. When a user encounters a situation whereby they need additional security privileges to carry out a task, the principle of elevation should apply - this being that only the task requiring the additional privileges should be given these privileges, and once complete the user should continue at their normal level of privilege.
In order to meet the needs of users requiring administrative privileges as well as implementing the two aforementioned principles of least privilege and elevation, ISS have put in place a number of systems to allow the DCU community work with minimal interruption:
- The creation and deployment of pre-defined software packages. ISS can package commonly used software into single click installers that do not require administrative credentials to install. These packages are known as bundles. This approach works best for commonly installed software such as Microsoft Office and SPSS.
- The use of an application whitelisting tool. It is possible for ISS to whitelist certain applications and system functions (e.g. Windows Backup, Disk Defrag) to automatically run with administrative privileges. This approach works well for software that needs to run with administrative credentials, Windows functionality and software auto-updaters (e.g. Apple Software Update, Adobe Reader updater)
- The use of an elevation on demand tool. ISS can grant users the right to run software with administrative privileges on demand. This approach works best for users who regularly install and remove specialised software.
To request elevated rights for your system please submit form below: