SLAC Computer Security
Search SLAC

System Administrative Accounts

Confidential Use Requirements

Any user possessing an account with elevated administrative privileges (admin) shall abide by SLAC and Stanford University policies and exhibit the highest level of ethics.

Persons with access to confidential and private information are required by Federal and State privacy laws to keep it confidential.

Failure to abide by these policies is very serious and could impact your position at SLAC.

Please review the following Administrative Guide Memos: #1, University Code of Conduct, section 3, found at http://adminguide.stanford.edu/1.pdf ; #15.2, Staff Policy on Conflict of Commitment and Interest, Section 2.b, found at http://adminguide.stanford.edu/15_2.pdf; and #63, Information Security found at http://adminguide.stanford.edu/63.pdf."

Approval Process

User must make a request for an admin account in writing (via email) with a business justification to their manager.

Managers must ensure that the requestor has sufficient need and the skills and knowledge to use the admin account appropriately and will request the admin account on behalf of the requestor.

Requests for windows admin account on computers (laptop and/or desktop/workstation) assigned to requestor for SLAC use must be submitted to OCIO IT Departmental Support Manager and your Departmental Support team member (ithelp@slac.stanford.edu).

Use Superuser/NFS Privileges form to request "sudo" privileges or a private "root" password on a Linux/Unix desktop system administered by OCIO.

System administrative accounts for windows servers must be submitted to windows-admin (windows-admin@slac.stanford.edu).

Network device admin accounts must be submitted to and approved by OCIO Network and Telecon Manager  (net-admin@slac.stanford.edu) or designee.

Windows domain administrator or UNIX "root" accounts must be submitted to the Computer Security Officer (security@slac.stanford.edu) or designee for approval with concurrence of IT Infrastucture and Operations Manager or designee.

The Enterprise Applications team members submit requests through Privilege Request Tracker.

Requirements to Obtain (and Maintain) Account Access

Admins must:

  1. Not use their admin account for everyday tasks, i.e. read email or surf the Internet.  Only log in with an administrator account when need to perform system adminstration tasks.

  2. Have sufficient knowledge to perform required tasks.

  3. Ensure systems, they have admin rights to, are well maintained, i.e. OS patched, applications up-to-date, etc.

  4. Stay up with the latest threats and risks.

  5. Keep skills up-to-date.

If these requirements are not met, it may result in loss of the admin account.

Security Monitoring of Account Changes

Managers must review, at least annually, whether a user with admin rights needs them.  This must be done in a auditable fashion, asking the question via email or RT.

 

Owner: SLAC Computer Security
Last Updated: 04/30/2012
Feedback: Please send to
Computer Security Feedback