Technology

Desktop Access Procedure

Goals:
  1. To ensure that CSC employees are provided access to productive desktop computers required to meet their academic objectives.
  2. To create a climate in which all members of the academic community accept responsibility for protecting campus computing and information systems.
  3. To implement access controls which assure that an appropriate balance exists between the need to protect information resources and the need to allow users appropriate access to data and applications.
  4. To protect technology resources from unauthorized access by viruses, spy-ware and other unauthorized access.
  5. To control potential support issues caused by open access computers.
  6. To allocate support resources to the relevant needs of the campus.
  7. To explain the characteristics of the access levels within the CSC environment.

According to Microsoft standards, the Windows 2000 network environment defines three access levels for Windows 2000 and XP operating systems; Normal User, Power User, and Administrative User. According to Apple standards, two access levels are defined for the Mac OS X operating system; Normal User and Administrative User.

By default, computers running Windows XP, 2000, and OSX are configured with the Normal User access level. The Normal User access level provides a solution in which users can run applications with the systems secured against the three most common forms of attack (spy/malware, viruses, and software vulnerabilities). Because of the high level of system protection, the Normal User access level minimizes interruptions for the user and reduces the support demand on Information Technology personnel. Computers running older operating systems, such as Windows 98 or Mac OS 9, are open, vulnerable computers and will be migrated to the newer OS or removed from the campus network.

To advance to a Power User or Administrative User, an individual must provide a request and justification to the Director of Information Technology via e-mail. Justification should reference directly each of the items listed in the Profile Description Table associated with the requested access level. Prior to granting an elevated access level the employee is required to attend training provided by the Department of Information Technology, demonstrate the skills necessary to manage elevated access levels, and accept the responsibilities associated with the access level and the resulting consequences should their system become infected or identified as a support burden. The Department of Information Technology maintains a log of users with an advanced access level which contains the justification for their access as well as a list of systems on which access is granted.

In the event that a computer to which elevated access has been granted requires servicing by Computer Support resources, the computer will be re-imaged to the base image. The issue will be documented with the Director of Information Technology, the user, and the supervisor. The employee will be required to attend follow-up training and testing in order for restoration of the elevated access level. Upon the second service occurrence, the computer will be re-imaged and the Normal User access level will be applied to the user's account.

This procedure must be reviewed and modified as needed to align with the rapid rate of operating system updates issued by software manufacturers.

Access Level Description Table

  Normal User Power User Admin User
Level of:
System Protection		 High Limited User Controlled
User Responsibility Low High High
Computer Support
 		 Low Moderate High
Service Priority High Moderate Low
       
Risk of:
Virus Infection		 Low High High
Spyware/Malware Infection Low High High
Software Vulnerability attack Low Medium High
       
Responsibility for:
Windows Updates		 CS CS User*
Troubleshooting Software CS User* User*
Virus Updates/Cleanup CS/CS User* User*
Spyware Updates/Cleanup n/a User* User*
Application Software Installation CS User* User*
Application Software Execution User User* User*
Licensing Compliance CS User* User*
Backup of data User** User** User**
       
Modification of:
Core Registry		 Denied Partial Allowed
System Folder Denied Partial Allowed
System Files Denied Partial Allowed
Network Settings Denied Partial Allowed
Program Files Folder Denied Allowed Allowed
Basic User Settings Allowed Allowed Allowed

 

*Users granted the Power User and Administrative User access levels must following licensing policies and compliance. These individuals must have the computer expertise to support and troubleshoot their own software. Should they have trouble with software that they are unable to resolve, they are required to back up their data and the Department of Information Technology will re-image their system to the standard base image. The end user is responsible for restoration of their data and installation of software beyond the base image.

**The Department of Information Technology strongly recommends that all users, regardless of access level, save all data (including programs they install on their own) in the Documents folder at the root of the hard drive (C:\Documents). Users are responsible for the routine backup of the data on their systems. Backup of that data is greatly simplified by using the single Documents folder location. Backup options may include: Z-drive, zip disks, CD-Rs, floppy disks, and USB jump drives. Data on the Z-drive is backed up nightly by the Department of Information Technology.

Detailed Access Level Descriptions

  1. Normal User:
    Highest Level of Protection, Low User Responsibility, Minimal Computer Support Required
    • Benefits:
      1. Due to automated updating controlled by the Department of Information Technology, the user does not need to perform Windows updates, virus scanner updates, or spyware sweeps.
      2. Due to the restricted access to system files, systems cannot be infected by most network spread spyware/malware and viruses. Does not prevent infection due to a user opening an infected e-mail attachment, for example.
      3. User can run most software once it has been installed by the Department of Information Technology.
      4. User can modify basic user settings (screensaver, desktop appearance, etc.)
      5. User can modify files within the C:\Documents and Z:\ directories.
    • Restrictions:
      1. User cannot install any software that modifies the core registry or system folders or program files folders.
      2. User cannot modify any systems files or network settings.
    • Concerns:
      1. The three most common risk factors are minimized at this level, however there is still a risk of computers being damaged by virus infected files opened prior to scanning.

         
  2. Power User (Not available on the Macintosh OS) Limited Protection, High User Responsibility, Moderate Level of Computer Support Required
    • Benefits:
      1. Due to automated updating controlled by the Department of Information Technology, the user does not need to perform Windows updates.
      2. Due to the ability to modify Program Files folders and most System files and parts of the registry, the user can install some software.
      3. User can modify basic user settings (screensaver, desktop appearance, etc.)
      4. User can modify files within the C:\Document and Z:\ directories.
    • Restrictions:
      1. Depending upon the type of spyware, a user may not be able to remove spyware even though it was installed with their access level
      2. User cannot modify all system files and settings or network settings affecting the ability to install software and customize the computer.
    • Concerns:
      1. System can be infected by most network spread spyware/malware and viruses so the end user is responsible for regular scans and updating of the detection/removal software.
      2. User has the ability to disable the virus scanner so they are responsible for making sure it is active and updated.
      3. Because the user has the ability to load software, they may knowingly or unknowingly violate CSC licensing agreements.
      4. User may accidentally or purposely load software that places a burden on the network and/or infects other campus computers and mission critical servers.

         
  3. Administrator
    Unprotected, High Risk, High User Responsibility, High Level of Computer Support Required
    • Benefits:
      1. User has full access to the computer.
    • Restrictions:
      1. Nothing restricts the user.
    • Concerns:
      1. Although the user does not need to perform Windows or anti-virus updates, they are responsible for making sure the settings do not change a verifying that the updates are occurring. Failing to do so risks system and network infection.
      2. System can be infected by all spyware/malware and viruses so the end user is responsible for regular scans and updating of the detection/removal software.
      3. The Department of Information Technology has to monitor network traffic to see if the system becomes infected and deal with it if it does.
      4. Because the user has the ability to load software, they may knowingly or unknowingly violate CSC licensing agreements.
      5. User may accidentally or purposely load software that places a burden on the network or attacks computers on campus including the mission critical serves.
      6. User may accidentally or purposely modify network settings that could disable the campus network.
      7. Computer service may be delayed due to other projects or obligations. Users are expected to obtain the skills necessary to resolve system problems.
      8. It is the user's responsibility to be aware of and follow all policies/procedures.

Effective: July 27, 2005 as approved by Executive Staff

Publicized:

CS Web Page-August, 2005
Faculty Handbook-August, 2005

As per the 2007-09 SCEA Agreement:
In compliance with college prescribed procedures which require prior disclosure and approval, faculty with college provided computer training, which shall be available on a regular basis, may load or have loaded licensed, academic-specific software on their office computers. Such approval to load software shall be made in a timely manner and shall not be unreasonable denied. Any such denial must specify in writing the reasons for such denial.  Loading of any licensed, academic-specific software, which is interactive with the campus network, will be done with the assistance and approval of the campus computer services administration.

Associated CSC Policy Statement:
Employees may petition to the Director of Information Technology to load licensed, academic-specific stand-alone software on their office computers.

Employees must complete the required training and associated assessment. Employees who have been granted such privilege are advised to consult with Information Technology personnel prior to the loading of such software to gain approval based on hardware compatibility with the software and to avoid conflicts with supported software. An employee granted such access, who does not consult with the Department of Information Technology prior to installing software or downloading files and/or whose system is negatively affected to the extent that service is required by the Department of Information Technology, will be returned to normal user access level and the affected computer will be re-imaged. The employee will be required to complete follow-up training and assessment prior to re-granting of an elevated access level. Refer to the Department of Information Technology Desktop Access Procedure.

Forms