EECS Systems And Administrative Rights/Privileges
Computer operating systems such as Microsoft Windows, Linux, or Apple MacOS, generally prevent users from performing administrative tasks (changing settings, installing certain software, etc.) unless special privileges have been granted. These are variously known as administrator/administrative/admin rights, “root” privileges, etc. We will refer to these rights as “admin rights” in this document. This level of access control can be all-or-nothing (a user either has or does not have admin rights) or more fine-grained (a user has access to some, but not all, administrative functions).
The practice of giving users only as much access to critical functions as needed for their tasks is usually referred to as the Principle of Least Privilege. More broadly, there is the concept of Separation of Duties. In information technology, this generally means that administrative functions should be performed by a separate person or entity (e.g. a system administrator) from the actual end-user of a device. Implementing these principles is considered “best practice” and this is reflected in guidelines such as the National Institute of Standards and Technology's (NIST) “Security and Privacy Controls for Federal Information Systems and Organization”, commonly known as NIST Controls, and by the https://www.cisecurity.org. UT's IT policies also enshrine these ideas. For more information see:
In practice, it is often necessary for end-users to be able to perform tasks the operating system reserves for those with admin rights. EECS IT has established procedures for granting admin rights on certain systems.
System Types
EECS IT generally distinguishes between three types of computer systems in regards to admin rights:
EECS IT Managed
There are systems that are solely managed by the EECS IT Staff where no end-users may have admin rights. These include teaching lab computers and IT infrastructure servers such as departmental file servers, license servers, etc. Desktop and Laptop computers with certain sensitive information may also be included in this category. Faculty may elect to cover some research systems under this rubric as well. EECS IT-managed server hardware is actively monitored for failures where possible and we will handle all warranty repairs.
Having EECS IT perform any admin duties on a computer system is the default for new installations. Moving a system out of this category and into either of the two other categories requires the proper approvals.
Combined Management
On systems with combined management, end-users are granted some (or even most) of the admin rights. EECS IT maintains admin access to these systems. EECS IT and broader UTK security policy may prevent end-user access to certain administrative tasks as deemed necessary and where fine-grained control is possible. Admin rights are granted upon request by the end-user and approval by the system owner and EECS IT. Most often, these are desktop/laptop computers or research servers. Common reasons for requesting combined management on EECS systems include the need to install software that is not supported by EECS IT. End-users will be entirely responsible for complying with any applicable license agreements, regulations, and laws regarding third-party software. Where possible, EECS IT monitors the health of any combined-management server hardware.
Administrative rights are generally granted in one of the ways outlined below. Procedures may change on a case-by-case basis as discussed between system owners and EECS IT. Please note that end-users are encouraged to ask for help from EECS IT when performing admin tasks. End-users are responsible for the information security of these systems.
Microsoft Windows Systems
On Microsoft Windows computers, administrator rights are furnished to the end-user by adding their UT Active Directory account to the local “Administrators” group on the system. EECS IT continues to apply Active Directory Group policy as well as Microsoft InTune policy to these systems, so some admin tasks will be unavailable to the end-users. This includes, but is not limited to, disabling the Windows firewall, disabling automatic updates, etc. As stated above, EECS IT also retains admin rights on these systems. This is the highest-level of administrative access that end-users may obtain on Microsoft Windows systems. No Windows systems may be entirely managed by the end-users.
Apple MacOS/iPadOS Systems
Apple MacOS and iPadOS systems are managed in a similar way to those running Microsoft Windows. While end-users may be granted administrator privileges, all Apple systems must be enrolled in UT's central InTune policy. Again, EECS IT als retains admin rights on these systems.
Red Hat Enterprise Linux
EECS IT maintains a Linux infrastructure including network storage for user home directories and research areas, etc. If end-users require certain admin rights on computers participating in this infrastructure, these rights may be granted via the sudo mechanism. This means users will not have full “root” privileges and their admin rights will be limited to specific commands. Users will need to request specific admin rights (e.g. the ability to restart the system or to install software from trusted repositories) from EECS IT which will vet and grant these as appropriate.
End-user Managed
Some systems are entirely managed and administered by the system owner, end-user(s), or their designate(s). Most often, these are research computers managed by the respective faculty's research groups. EECS IT may have no direct admin rights on these systems or access may be limited to emergency procedures such as remote shutdown of the computer. Most often, these rights are requested when the end-user(s) want to install an operating system that is not supported by EECS IT. EECS IT may impose limitations on these computers such as requiring use of a VPN to access the system, mandating certain security controls be implemented etc. These admin rights are granted upon request by a faculty member and in consultation with EECS IT. Please note that EECS IT cannot install departmentally-owned software or licenses on these systems. EECS IT does not monitor the health of end-user managed server hardware. End-users are responsible for the information security of these systems.
Required software for UT-owned systems
-
- Microsoft Defender must now be installed on all UT-owned Windows, MacOS, and Linux systems.
- For Linux server systems, Microsoft 365 Defender (Microsoft Defender for Endpoint/Advanced Threat Protection) will incur a cost of $62/year. This includes virtual machines.
- Coming Soon: Instructions for installing Microsoft 365 Defender on Linux systems.
You may be asked to verify that your system is monitored by both the Tenable Nessus security scanner and Microsoft 365 Defender by providing the output of the following two commands:
/opt/nessus_agent/sbin/nessuscli agent status
/usr/bin/mdatp health
Recommended software for Dell server products
- Dell System Update - for firmware/BIOS updates.
- Dell OpenManage Server Administrator - for hardware health monitoring, configuration, etc.
Recommended software for Dell desktop products
- Dell Command Update - for firmware, BIOS, and driver updates.
System Security Planning
No matter whether a system is wholly, partially, or not at all managed by EECS IT, end-users are still responsible for complying with all University IT Policies. For systems that are entirely managed by EECS IT, end-users will not need to develop an System Security Plan (SSP). However, if end-users have some or all administrative rights or are entirely managing the system themselves, security planning will be their responsibility. Please see the following for more information:
- Additional IT Policies and Procedures including security plan templates.
For systems with combined management, EECS IT can assist you in creating a System Security Plan.
Requesting Admin Rights
Administrative rights are generally requested by end-users after consultation with the EECS IT Staff. Once a decision has been made to grant either combined management or end-user management of a system, the user(s) in question will be asked to fill out and sign a digital form which outlines their responsibilities. The system owner must co-sign the form. You can initiate this process by visiting https://tiny.utk.edu/eecsadminrights. The system host name as well as a justification statement will be required. If you have any questions, please contact EECS IT Support.