UIS.301.1 Elevated Privileges Management Guidelines

In support of UIS.301 Elevated Privileges Management Policy

Georgetown University has adopted the security audit and accountability principles established in NIST SP 800-53 “Access Control” guidelines as the official policy for this security domain. Each system administrator, system owner, and elevated privileges account holder must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework. 

Elevated Privileges Requirements

  1. University Information Services (UIS) inventories and validates all administrative accounts, including domain and local accounts, to ensure that only authorized individuals have elevated privileges. 
  2. Default passwords must be changed for applications, operating systems, routers, firewalls, wireless access points, and other systems to have values consistent with administrative level accounts, before deploying any new asset. 
  3. All users with administrative account access must use dedicated administrator accounts for elevated activities. Elevated accounts should only be used for administrative activities and not internet browsing, email, or similar activities. 
    • Users with admin access to servers, endpoints, and enterprise systems may not alter, delete, or otherwise tamper with baseline configuration settings. This includes, but not limited to, disabling antivirus software, creating additional local accounts, changing the MAC Address, or disabling inventory and security management agents.   
  4. Elevated privilege accounts must use passwords that are unique to that system, where multi-factor or two-factor authentication is not supported (such as local administrator, root, or service accounts).    

  5. All users with administrative accounts must connect via Georgetown VPN to access University information systems and assets.

    • VPN memberships are only granted after access to assets and systems has been approved by the system and asset owners. 

    • Access to cloud platforms and computing environments is managed by membership in UIS-designated security groups.

  6. Multi-factor or two-factor authentication and encrypted channels must be used or enabled for all administrative account access. 
  7. UIS must configure systems to issue a log entry and alert on changes to elevated privileges accounts.  

    • When an account is added to or removed from any group assigned administrative privileges, alert should generate and log also recorded. 

    • Unsuccessful logins to an administrative account should generate alert and log also recorded.  

  8. UIS must ensure that administrators use a dedicated machine for all administrative tasks or tasks requiring administrative access.  
    • Dedicated machine will be segmented from the University’s primary network and not be allowed Internet access.  
    • Dedicated machine will not be used for reading email, composing documents, or browsing the Internet.