Endpoint Privilege Management
Overview
A core principle of safe computing is to never use more privileges than necessary for day-to-day computing tasks. Normal tasks like web browsing and email should happen on a standard account, and never with administrative privileges. However, all users eventually encounter a scenario that requires them to elevate their privileges to a higher level in order to accomplish a task. Our goal is to enable this elevation without undue burden to the user or their local IT support staff.
At Texas A&M, we believe that our users are capable of making rational and informed decisions about security risks when properly educated and treated with respect. This belief is reflected in our approach to providing administrative rights to their devices. We believe we can provide our users the flexibility to perform their tasks while maintaining a secure environment.
Technology Services has selected two primary tools to enable privilege elevation on end user devices: Admin By Request for Windows devices, and Privileges for macOS. These are flexible tools that allow for the management of privilege elevation via multiple approaches. We have adopted two primary models for most end user devices on campus.
Default Model: Admin Sessions
The Admin Session model allows users to elevate their privileges with a click of a button, provides them administrative rights for a short period, then automatically drops back to an unprivileged level after a short time. This model is particularly suited for academic environments, where faculty and other knowledge workers often need administrative access for novel or unpredictable tasks.
Alternative Model: Allow/Deny Lists
Using Allow/Deny lists is a more traditional approach, where specific applications or actions requiring administrative privileges are either permitted or denied. This model provides stricter control over administrative access and is available in situations where the Admin Session model is not suitable (e.g. staff members with narrowly-defined responsibilities and access to sensitive data, or lab environments with devices shared between multiple users). In many cases, commonly used software can be found in the platform software store (Software Center for Windows and Jamf’s Self-Service Hub for macOS).
There are two primary configurations possible when using the Allow/Deny List model:
-
DEFAULT ALLOW; EXPLICIT DENY
This configuration will allow users to install any software unless it is explicitly listed on a “prohibited software” list (IT Security maintains a global list of software that is prohibited for Texas A&M University; it is the responsibility of platform admins to keep their platform in sync with that global list). -
DEFAULT DENY; EXPLICIT ALLOW
This configuration provides the most controlled environment for devices. Only specifically pre-authorized applications and actions are available to the user; all other actions and application installs are prevented.
Policies
-
The Admin Session model is the default setting for all users in academic environments
-
The Allow/Deny List model is available as an alternative in situations where the Admin Session model is not appropriate
-
In order to utilize the Allow/Deny List model, a documented business justification must be approved by the Office of the CISO
-
The Admin Session model is only available for devices where telemetry is being collected (Elastic agent is installed)
-
-
Admin by Request is required for faculty units.
-
Non-academic units (e.g., Finance, HR, etc.) may choose whether to implement Admin by Request or not, particularly if they are removing administrative rights entirely and not utilizing any privilege elevation.
-
However, the moment administrative rights are required for a task, the unit must use Admin by Request.
-
Non-academic units may select the most suitable model (Admin Session or Allow/Deny List) for their needs, subject to approval by their Associate Vice President in conjunction with the Endpoint Security team.
-
-
Non-academic units can choose between the Admin Session model and the Allow/Deny List model based on their operational requirements
-
Non-academic units will decide which model to implement in consultation with the Endpoint Security and the Unified Endpoint Management team to ensure alignment with security policies and overall management strategy
-
Final approval for any non-academic unit rests with the corresponding Associate Vice President within Technology Services over that area
-
-
Regardless of the model, applications on the list of prohibited software maintained by Security are never permitted to be installed on Texas A&M devices
-
Requests for exceptions to the default model must be submitted in writing to the Endpoint Security team
-
Approval is required from the Office of the CISO (or designee)
Additional Information
Information technology professionals on campus may contact endpoint-security@tamu.edu to ask any questions or request additional information.