Purpose

The purpose of this standard is to establish secure guidelines for managing local administrator privileges¹ on University-managed endpoint devices². These privileges provide users with significant control over systems, including installing software, altering security settings, and accessing sensitive data. However, such elevated access is a prime target for attackers, as compromised accounts with administrator privileges can be leveraged to disable defenses, propagate malware, and execute attacks like ransomware, which can spread quickly across networks and cause severe damage.

By implementing this standard, the University seeks to balance operational needs with security requirements, ensuring that local administrator privileges are granted only when necessary and in accordance with the principle of least privilege. This approach minimizes the potential for abuse while maintaining functionality, reducing the risk of threats that exploit excessive permissions​.

Scope

This standard applies to all University-managed endpoint devices, including laptops/desktops and other portable devices used for University-related activities, and to accounts with administrative access to University-managed endpoint devices.

Scope Exemptions

This standard does not apply to systems with all network capabilities disabled or disconnected.

This standard does not apply to personal devices not managed by the University.

This standard does not apply to devices that fall under the scope of compliance for regulatory frameworks such as the Health Insurance Portability and Accountability Act (HIPAA), Criminal Justice Information Services (CJIS), or the Payment Card Industry Data Security Standard (PCI DSS). These devices are governed by their respective compliance requirements, which include specific security controls and practices related to the management of administrator privileges.

Standard

Endpoint devices² ("systems") and their support teams ("teams") must meet the following criteria:

1. Systems must have an identified and documented functional owner.
2. Systems must be managed and supported directly by a University IT team or through a partnership between a vendor and an IT support team.
3. Systems with local administrator accounts must utilize dedicated user administrator accounts that cannot be used for daily work activities (email, Internet browsing, documents, etc.).
4. Systems must utilize automatic group membership management³ based upon active job role for user Endpoint Administrator Accounts with administrative access to multiple endpoint devices.
5. Systems must use the University identity and/or directory solutions to manage local user administrator accounts and directory groups that grant endpoint user administrator access.
6. Systems must utilize user accounts with the minimum access necessary for job role ("least privilege").
7. Teams must establish and maintain a documented inventory of endpoint user administrator accounts.
8. Teams must establish an Endpoint Administrator Account access granting and revoking process including:
   1. Evaluating and documenting business need before granting administrative access.
   2. Periodically reviewing administrative access.
   3. Promptly revoking administrative access when no longer necessary.

Exceptions

While this standard is intended to apply comprehensively, there may be instances where certain devices or accounts are unable to meet the full requirements. For example, a daily work activity account may require local administrative access due to specific operational needs. In such cases, exceptions must be formally requested and reviewed.

Requests for exceptions must be submitted to the Information Security Office (ISO) through the university’s ticketing system or by emailing informationsecurityoffice@ilstu.edu. Each request must include:

• User account names associated with the exception request
• Endpoint device hostnames affected by the exception
• A detailed use case explaining why the exception is necessary and what compensating security controls, if any, will be implemented

The ISO will review all exception requests in accordance with the Information Security Program's exception management process. Approval will be granted only when it is determined that operational needs outweigh the security risks, and where appropriate compensating controls are in place to mitigate those risks. All approved exceptions will be documented, periodically reviewed, and may be subject to additional security monitoring.

Additional Information

Footnotes

The following information provides supporting information referenced in the other sections of this document:

1. Administrator Privileges: The set of elevated rights and permissions that grant a user or account the ability to make significant changes to a system or device. This includes the ability to install software, modify system configurations, manage other user accounts, and alter security settings.  In the context of this standard, local administrator privileges specifically refer to permissions granted on University-managed endpoint devices, which are confined to the local endpoint device.
2. University-Managed Endpoint Device: Any laptop, desktop, tablet, smartphone, or similar end-user computing device that is purchased, managed, or maintained by the University for conducting University business or processing university data. This definition excludes personally owned devices, which may connect to University networks but are not subject to the controls outlined in this standard.
3. Automatic Group Membership Management refers to using automation to manage the membership of a group. Accounts should automatically be added upon hire and automatically removed upon exit. Examples of capable systems include Ansible and Grouper.

Compliance

The Information Security Office will report on local administrator membership to ensure compliance with this standard and University policies. Systems out of compliance with this standard or the University Security Program policy will be escalated for remediation planning, and continued noncompliance may result in systems being segmented from the University network.

Supporting References

The following information provides supporting references that informed the development of this standard:

Local admin privileges: A double-edged sword | Crowe LLP

Risk of local administrator privileges | Device

The Strategic Shift: Eliminating Local Admin Rights to Secure Enterprise Environments » Admin By Request

Privileged Account Management, Mitigation M1026 - Enterprise | MITRE ATT&CK®

NIST SP 800-171r3 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (nist.gov)

2024 Data Breach Investigations Report | Verizon

Cost of a Data Breach Report 2024 (ibm.com)

CIS Critical Security Controls Version 8 (cisecurity.org)

CIS Community Defense Model 2.0 (cisecurity.org)

CIS Control v8 Guidance

Illinois State University leverages the CIS Controls framework, validated through the CIS Community Defense Model, to ensure our cybersecurity measures effectively mitigate the most prevalent real-world threats, including those identified in the MITRE ATT&CK framework, thereby enhancing our defenses against known adversary behaviors.

5.1 Establish and Maintain an Inventory of Accounts: Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person’s name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.

5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.

5.6 Centralize Account Management: Centralize account management through a directory or identity service.

6.1 Establish an Access Granting Process: Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user.

6.2 Establish an Access Revoking Process: Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.

6.7 Centralize Access Control: Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.

6.8 Define and Maintain Role-Based Access Control: Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.