According to Microsoft standards, the Windows 2000 network environment defines three access levels for Windows 2000 and XP operating systems; Normal User, Power User, and Administrative User. According to Apple standards, two access levels are defined for the Mac OS X operating system; Normal User and Administrative User.
By default, computers running Windows XP, 2000, and OSX are configured with the Normal User access level. The Normal User access level provides a solution in which users can run applications with the systems secured against the three most common forms of attack (spy/malware, viruses, and software vulnerabilities). Because of the high level of system protection, the Normal User access level minimizes interruptions for the user and reduces the support demand on Information Technology personnel. Computers running older operating systems, such as Windows 98 or Mac OS 9, are open, vulnerable computers and will be migrated to the newer OS or removed from the campus network.
To advance to a Power User or Administrative User, an individual must provide a request and justification to the Director of Information Technology via e-mail. Justification should reference directly each of the items listed in the Profile Description Table associated with the requested access level. Prior to granting an elevated access level the employee is required to attend training provided by the Department of Information Technology, demonstrate the skills necessary to manage elevated access levels, and accept the responsibilities associated with the access level and the resulting consequences should their system become infected or identified as a support burden. The Department of Information Technology maintains a log of users with an advanced access level which contains the justification for their access as well as a list of systems on which access is granted.
In the event that a computer to which elevated access has been granted requires servicing by Computer Support resources, the computer will be re-imaged to the base image. The issue will be documented with the Director of Information Technology, the user, and the supervisor. The employee will be required to attend follow-up training and testing in order for restoration of the elevated access level. Upon the second service occurrence, the computer will be re-imaged and the Normal User access level will be applied to the user's account.
This procedure must be reviewed and modified as needed to align with the rapid rate of operating system updates issued by software manufacturers.
Access Level Description Table
|Normal User||Power User||Admin User|
|Software Vulnerability attack||Low||Medium||High|
|Application Software Installation||CS||User*||User*|
|Application Software Execution||User||User*||User*|
|Backup of data||User**||User**||User**|
|Program Files Folder||Denied||Allowed||Allowed|
|Basic User Settings||Allowed||Allowed||Allowed|
*Users granted the Power User and Administrative User access levels must following licensing policies and compliance. These individuals must have the computer expertise to support and troubleshoot their own software. Should they have trouble with software that they are unable to resolve, they are required to back up their data and the Department of Information Technology will re-image their system to the standard base image. The end user is responsible for restoration of their data and installation of software beyond the base image.
**The Department of Information Technology strongly recommends that all users, regardless of access level, save all data (including programs they install on their own) in the Documents folder at the root of the hard drive (C:\Documents). Users are responsible for the routine backup of the data on their systems. Backup of that data is greatly simplified by using the single Documents folder location. Backup options may include: Z-drive, zip disks, CD-Rs, floppy disks, and USB jump drives. Data on the Z-drive is backed up nightly by the Department of Information Technology.
Detailed Access Level Descriptions
Effective: July 27, 2005 as approved by Executive Staff
CS Web Page-August, 2005
Faculty Handbook-August, 2005
As per the 2007-09 SCEA Agreement:
In compliance with college prescribed procedures which require prior disclosure and approval, faculty with college provided computer training, which shall be available on a regular basis, may load or have loaded licensed, academic-specific software on their office computers. Such approval to load software shall be made in a timely manner and shall not be unreasonable denied. Any such denial must specify in writing the reasons for such denial. Loading of any licensed, academic-specific software, which is interactive with the campus network, will be done with the assistance and approval of the campus computer services administration.
Associated CSC Policy Statement:
Employees may petition to the Director of Information Technology to load licensed, academic-specific stand-alone software on their office computers.
Employees must complete the required training and associated assessment. Employees who have been granted such privilege are advised to consult with Information Technology personnel prior to the loading of such software to gain approval based on hardware compatibility with the software and to avoid conflicts with supported software. An employee granted such access, who does not consult with the Department of Information Technology prior to installing software or downloading files and/or whose system is negatively affected to the extent that service is required by the Department of Information Technology, will be returned to normal user access level and the affected computer will be re-imaged. The employee will be required to complete follow-up training and assessment prior to re-granting of an elevated access level. Refer to the Department of Information Technology Desktop Access Procedure.