Policy Number: CS-1510-2021
Policy Title: Local Administrator Policy
Policy Owner: Chief Information Officer
Effective Date: September 22, 2021
Last Revised: September 22, 2021
On this page:
- Application and Scope
- Accountability & Compliance
- Policy Revision Date
- Specific Links
This policy defines rules regarding the granting and use of administrative privileges on Mohawk College owned devices which run Windows 10 or Apple macOS. This does not include cellular phones and may include some tablets.
Some users, by the nature of their work, require additional software that is not included in the standard software suite available on managed devices. In most cases, the college IT department can install additional licensed software on behalf of the user upon request. In other cases, administrative privileges may be required to support a user’s needs.
This policy applies to all employees, contractors, consultants, researchers, volunteers, or other workers including any Mohawk College community members that use any Mohawk College owned devices which run Windows 10 or Apple macOS. This does not include cellular phones and may include some tablets, regardless of their role, location, or facility.
“Administrative Privileges” refers to the ability to perform most, if not all functions within an operating system and include tasks such as installing software and hardware drivers, changing system settings.
“Device(s)” refers to the devices in scope of this policy. The devices in question include any college computer or tablet running with a Windows operating system or Apple macOS that have been provided by the college IT department. This does not include cellular phones and may include some tablets.
“Local Account” refers to an account that allows some level of access to an individual device. The local accounts settings determine your permissions for running programs, installing, and removing programs, accessing files and enabling and disabling services.
“Local Administrator Account” is a role-based account locally on a computing device that has full permissions to make any number of changes and\or access to other accounts, roles, configurations, and installations on a given device.
“Local System” refers to an individual device which a user has access.
“Principle of least privilege” advocates that users should use an account that is granted only the minimum access permissions necessary to complete a task and nothing more.
“Standard User” refers to an account level which has been granted only the minimum access permissions necessary to complete a task.
“Users” refers to employees, contractors, consultants, researchers, volunteers, or other workers including College community members.
Mohawk College protects its assets, intellectual property, and information from potential external threats.
5.1 Accountability Framework
This policy has been approved by the Senior Leadership Team.
This policy is aligned to the National Institute of Standards and Technologies Cyber Security Framework, ISO 27001, and is enforced by the Chief Information Officer.
6.1 Risks Associated with Administrative Privileges
The assumption of administrative privileges on a College device carries certain inherent responsibilities and increased risks. These include the potential loss of data, compliance with privacy, intellectual and copyright laws, and increased threat of compromise from external threats, including:
6.1.1 Data Security
Administrative privileges increase susceptibility to spyware, malware, and potentially damaging security breaches due to the elevated level of rights and permissions associated with administrative privileges. Users should be familiar with Mohawk College’s IT Cybersecurity Guidelines and relevant policies.
6.1.2 Data Loss
Safeguards intended to prevent inadvertent, irreversible actions can be inhibited by local administrative privileges. Users are solely responsible for any data that is stored locally and as such must exercise due diligence in providing a backup mechanism to ensure against the potential loss of any important data. Failure to implement a backup mechanism can result in permanent loss of such data.
6.1.3 Software Licensing & Copyright Laws
Adherence to copyrights and licensing agreements is mandatory for all installed software. Users do not have the authorization to agree to software terms and conditions (End User License Agreements) on behalf of Mohawk College. Contact the college IT Service Desk for information on obtaining software.
6.2 User Account Access Rights for College Owned Devices
User accounts on College owned devices must be configured as standard users with the principle of least privilege to protect the College network, resources, and domain-based systems. Standard user accounts only allow local system access to that which is required for employees to perform their intended duties.
6.3 Escalating Privileges to Perform Employee Duties
From time to time, it may be necessary for an employee to escalate their privileges on their local machine to become a local administrator to install or run certain software that is not included in standard image or available through the MohawkApps catalogue. For these situations, the following rules apply:
6.3.1 On-Demand Administrative Rights
Employees who require local administrative rights to install software or perform some form of testing where a standard user account will not suffice may request this escalation of access through the IT Service Desk. The request will require a documented business justification to be provided and authorization is performed by the IT Service Desk. Refer to Appendix A – Procedure to Request On-Demand Local Administrative Privileges
6.3.2 Long Term Administrative Rights
Some software packages do require local administrative rights to run. In these situations, employees may request long-term administrative rights through the IT Self Service Portal. These requests must be accompanied by a business justification and formally approved by the employee’s Manager then reviewed and approved by the IT Security office. Needs will be reassessed on a yearly basis and can be subject to change should an employee’s role change. IT reserves the right to remove these permissions at their discretion. Refer to Appendix B - Procedure to Request Long Term Administrative Privileges
6.4 Use of Local Administrative Privileges
Employees who request local administrative rights must acknowledge that an inappropriate use of those rights may present a risk(s) to Mohawk College by potentially weakening the device configuration, hardening, or introducing malicious software, be it intentionally or accidentally. As such, those employees must be aware of the following additional responsibilities:
- The employee is responsible on an ongoing basis to keep up-to-date with any security updates relevant to additional installed software as released by its publisher(s) and perform timely installation of such updates.
- Only software in compliance with its copyright and licensing may be installed.
- Only software applications and tools required for a user’s work in support of Mohawk College can be installed.
6.4.1 Forbidden Use of Administrative Privileges
Employees must not perform the following actions or activities while granted administrative rights.
- Using administrative rights to add your own or any user account to the local administrators group is strictly forbidden and actively monitored by IT Security.
- Additional local accounts (with or without administrative privileges) may not be created unless they are a documented by the vendor as a requirement of software to be installed and approved by IT.
- Software that interferes, inhibits, disables or bypasses installed anti-malware software may not be used. Anti-malware software may be temporarily disabled with assistance from the IT Service Desk when necessary, to prevent issues during software installation only.
- Third-party remote access software (e.g., LogMeIn®, GotoMyPC®, TeamViewer®) may not be installed or used to enable remote desktop access to a Mohawk College device. Where available, approved remote desktop access service can be requested through the IT Service Desk.
- Software that captures, displays, or manipulates network traffic in an incognito or other mode may not be installed unless such is required in the normal course of assigned work responsibilities.
- Automatic Updates may not be disabled (where it may be configured for the operating system and other standard applications).
- Existing local accounts and services may not be disabled.
- ITs ability to support the College-owned system may not be impeded.
7.1 Revision Date
The Chief Information Officer will review this policy every five years or earlier where required.
- Appendix A – Procedure to request On-Demand Local Administrative Privilege.
- Appendix B – Procedure to request Long-Term Administrative Privilege.
- CS-1502-2022 Acceptable Employee Use of IT Resources
- GC-4100-2013 Intellectual Property
- GC-4101-2013 Copyright
- Academic Collective Agreement
- Support Staff Collective Agreement
- Terms and Conditions of Employment for Administrative Staff
- Copyright Act
- End User Licensing Agreement directly effected by any installed software.
By default, users are granted User access level on their devices. Local administrator access is granted on an as-requested basis for a particular device for justified business needs.
The following procedure applies to on-demand administrative privileges which will allow this access for a duration no longer than 24 hours from the time of approval. For use when installing a piece of software or updating a piece of software that falls under the rules outlined above and not necessary for a longer period.
To request on-demand local administrative privileges:
- Review this policy.
- Request temporary\on-demand local administrative privileges by contacting the IT Service Desk via:
- ITS Portal
- helpdesk [at] mohawkcollege.ca (Email)
- Phone – 905-575-2199
- A business justification is necessary before the request can be fulfilled.
- The IT Service Desk will then send the requestor a username and password with instruction on its use.
By default, users are granted User access level on their devices. Long-term administrative access is granted on an as-requested basis for a particular device based on a justification of the need.
To request long term local administrative privileges:
- Review this policy.
- Log into the ITS Portal to submit a request
- Choose Submit Request
- Accounts and Systems Access
- Long-Term Local administrator privileges
- Fill out the form on the page and submit the request.
- The IT Service Desk will send the necessary approval emails to your Manager.
- Once approved by your supervisor\manager the submission will be reviewed and approved by the IT Security Office.
- The IT Service Desk will then grant administrative privileges on the device indicated in the request.