Endpoint Privilege Management

Overview

A core principle of safe computing is to never use more privileges than necessary for day-to-day computing tasks. Normal tasks like web browsing and email should happen on a standard account, and never with administrative privileges. However, all users eventually encounter a scenario that requires them to elevate their privileges to a higher level in order to accomplish a task. Our goal is to enable this elevation without undue burden to the user or their local IT support staff.

At Texas A&M, we believe that our users are capable of making rational and informed decisions about security risks when properly educated and treated with respect. This belief is reflected in our approach to providing administrative rights to their devices. We believe we can provide our users the flexibility to perform their tasks while maintaining a secure environment.

Technology Services has selected two primary tools to enable privilege elevation on end user devices: Admin By Request for Windows devices, and Privileges for macOS. These are flexible tools that allow for the management of privilege elevation via multiple approaches. We have adopted two primary models for most end user devices on campus.

Default Model: Admin Sessions

The Admin Session model allows users to elevate their privileges with a click of a button, provides them administrative rights for a short period, then automatically drops back to an unprivileged level after a short time. This model is particularly suited for academic environments, where faculty and other knowledge workers often need administrative access for novel or unpredictable tasks.

Alternative Model: Allow/Deny Lists

Using Allow/Deny lists is a more traditional approach, where specific applications or actions requiring administrative privileges are either permitted or denied. This model provides stricter control over administrative access and is available in situations where the Admin Session model is not suitable (e.g. staff members with narrowly-defined responsibilities and access to sensitive data, or lab environments with devices shared between multiple users). In many cases, commonly used software can be found in the platform software store (Software Center for Windows and Jamf’s Self-Service Hub for macOS).

There are two primary configurations possible when using the Allow/Deny List model:

1. DEFAULT ALLOW; EXPLICIT DENY
   This configuration will allow users to install any software unless it is explicitly listed on a “prohibited software” list (IT Security maintains a global list of software that is prohibited for Texas A&M University; it is the responsibility of platform admins to keep their platform in sync with that global list).

2. DEFAULT DENY; EXPLICIT ALLOW
   This configuration provides the most controlled environment for devices. Only specifically pre-authorized applications and actions are available to the user; all other actions and application installs are prevented.

Policies

• The Admin Session model is the default setting for all users in academic environments.

  • The Allow/Deny List model is available as an alternative in situations where the Admin Session model is not appropriate.

  • In order to utilize the Allow/Deny List model, a documented business justification must be approved by the Office of the CISO.

• Non-academic units can choose between the Admin Session model and the Allow/Deny List model based on their operational requirements.

  • Non-academic units will decide which model to implement in consultation with the Endpoint Security and the Unified Endpoint Management team to ensure alignment with security policies and overall management strategy.

  • Final approval for any non-academic unit rests with the corresponding Associate Vice President within Technology Services over that area.

• Some non-academic units may choose to operate without providing users any access to elevated privileges at all; in those cases, the Admin By Request agent does not need to be installed. Final approval for this rests with the corresponding Associate Vice President within Technology Services over that area.

• Admin By Request and Privileges are the only allowable tools to deliver privilege elevation on end user devices.

• Privilege elevation is only allowable on devices where telemetry is being collected (the Elastic agent is installed).

• Regardless of the model, applications on the list of prohibited software maintained by Security are never permitted on Texas A&M devices.

• Requests for exceptions to the default model must be submitted in writing to the Endpoint Security team; approval is required from the Office of the CISO.

Additional Information

Information technology professionals on campus may contact endpoint-security@tamu.edu to ask any questions or request additional information.