Policy 17 - Workstation Privileges Policy
1.0 Purpose
The purpose of this policy is to greatly improve the security and reliability of workstations across the organization. A user operating at the highest level of permissions and access can have a tremendous negative impact on the stability and usability of the device, whether intentional or by accident. Most malware and malicious attackers depend on a user's ability to install software or modify the underlying operating system. A least privilege access approach is necessary to protect the university's data including PII, grades and research.
2.0 Scope
This policy is meant for end user workstations owned by the University. However, the least privileged access approach can apply to all devices and operating systems. Exceptions for academic lab purposes will be granted based on application requirements.
3.0 Policy
By default, users will be granted general user permissions to workstations. Additional privileges should be configured for each individual, as required, that provides the least privileged access for a user to perform their job. Examples of access beyond a general user include the following:
- The installation of some software/applications.
- Modifying core system files or registry.
- Altering advanced network and connectivity settings.
- Accessing files belonging to another user’s profile.
Users may request elevated privileges if they meet one of the following criteria:
- The user needs privileged access to the device for the testing, maintenance, troubleshooting or operation of software and/or hardware on a regular basis.
- The user must run software that requires elevated privileges to function properly. This can apply to an entire academic lab as requested by the appropriate faculty or Technical Coordinator.
For users with a demonstrated need, elevated privileges for specific systems can be assigned via the following methods:
- Installing a tool that allows temporary escalation of privileges
- Providing the user with a secondary account, separate from their daily use account. This secondary account is ONLY to be used when elevated privileges are necessary, and is not to be used continuously.
- Adjusting computer configuration that would allow for specific tasks to be completed or elevated. This includes user file permissions, group policy settings, group membership changes, etc.
Exceptions
Users may submit a request to be granted elevated privileges via the Service Catalog. This request requires the approval of the appropriate Technical Coordinator and employee’s Dean/Director, as well as the Information Security team.
4.0 Enforcement
Anyone found to have violated this policy may be subject to disciplinary action according to personnel policies and procedures. A violation of this policy by a temporary worker, contractor or vendor may result in the termination of their contract or assignment with Murray State University.
5.0 Definitions
Murray State University Network
Being connected to a Murray State University network includes the following:
- If you have a network capable device (ex. laptop) plugged into a data port in a Murray State University owned or controlled space, then you are connected to the MSU LAN (local area network).
- If you have a wireless capable device (ex. laptop, smartphone) and connect to one of the approved SSIDs, then you are connected to the MSU WLAN (wireless local area network).
- If you connect from a computer through the Murray State University VPN (virtual private network), you are then connected to the MSU LAN (local area network).
Policy adopted: 08-21-2024
Revision adopted: 08-21-2024
Policy approval and adoption: Murray State University President's Office and Information
Systems Security