About this policy
Policy contact:
Date of last update:
April 30, 2021
Policy statement
The vast majority of the computer systems on the Luddy School networks are managed by the Luddy Infrastructure and Technology Group (ITG). However, there are cases where a user will need administrator privileges or a particular project or research group will need something sufficiently unusual that it is beyond the scope of what the ITG can administer. In such cases, it may be possible for you to have an administrator account or what is called a self-managed system. If approved, the ITG may provide one of the following:
- Administrator Account - A separate administrator account on an ITG-managed Windows or Mac system you can use only for tasks requiring administrator privileges. You must continue to use your non-administrator account for normal, day-to-day operations.
- Sudo Permissions - Sudo permissions to perform required tasks on ITG-managed Linux systems. In most cases, sudo ALL will not be given but limited permissions will be given so users can perform required tasks.
- Self-Managed System - In cases where a non-supported operating system is required or the use of an ITG-managed system is not feasible, a self-managed system may be allowed. The setup, configuration, and ongoing administration and maintenance of the system will all be the responsibility of a designated person outside of the ITG and must be managed in accordance with all Luddy and IU computing policies.
All systems not managed by the ITG must still comply with the security policies governing all devices on the IU network. An approval process is required and the system maintainer must agree to follow all IU and Luddy security policies.
Exceptions to policy
None
Procedures
Approval Process
Please note that running an alternate, unsupported operating system (eg. Ubuntu) in a virtual machine on one of our Luddy-managed systems is fully supported and we can set that up for you with no special approvals needed. See Running a Virtual Machine on Linux or Windows for additional details or contact the ITG for additional details for other platforms.
Storing or manipulating sensitive data classified as restricted or critical is prohibited on self-managed systems without the explicit approval of the Luddy Director of IT. Further information is available regarding the classifications of sensitive data as well as via the comprehensive Data Sharing and Handling tool.
If you want administrator access to an ITG-managed system or a self-managed system, please submit the approval request form:
Request For Administrative Privileges
Submitted requests will be evaluated and you will receive notification of approval or rejection.
Once a request is approved by the sponsoring faculty (for non-faculty) and the Luddy Chief Information Privacy and Security Officer the appropriate permissions will be granted.
Documentation
These permissions will be documented via the help desk ticket and hardware database. Notes will be added to the comments section of the corresponding hardware database using the #admin and #self-manged tags and the help desk ticket number documenting the approval will be added to the database entry. This is done as follows:
- Add a tag like "#admin username" or "#self-manged username" to the comments section for the database entry, where username is the IU username of the user who was granted administrator rights
- Add the help desk ticket number to the"Help Desk Issue #" field in the hardware database.
Verification
Verification of self-managed system configuration will be performed to ensure that the open services match those noted in the submitted Administrative Privilege request form. The Qualys security scanner will be used to detect vulnerabilities and ITG staff and the administrative user will be required to resolve all reported problems.
Administration Requirements
If you are installing Ubuntu Linux, we encourage you to follow the steps in the KB page Securing Ubuntu Linux in the IU Environment
The administration of the system must follow IU policy IT-12 Security of Information Technology Resources as well as Luddy policies including IT Policy: Workstation Security and IT Policy: Mobile Device Security. Below is a summary of the key requirements all system must follow to be in compliance with IU and Luddy policy:
Admin Access - Normal day-to-day usage of the system must be done using non-privileged accounts. When elevated privileges are needed, dedicated admin accounts or sudo must be used. Do not elevate your normal account to have administrative privileges.
Firewall - A host based firewall (eg linux iptables or Windows firewall) must be used to limit open port to only those explicitly required. ITG-managed systems will have this enabled by default and you must not disable it.
Passphrases - All accounts must have passphrases that meet the IU Passphrase Requirements. ITG-managed systems will use normal IU passphrases and that must not be changed.
Accounts - Accounts on ITG-managed systems should not be created without Luddy approval. On self-managed systems, accounts should be given to each individual needing access. The use of shared group or guest accounts is not permitted without Luddy approval.
OS Updates - ITG-managed systems will be configured to receive OS updates automatically and this should not be disabled. Self-managed systems must be running an operating system that is currently supported by the OS provider and actively receiving security patches. The system must be configured such that security updates are automatically applied. If this is not possible, and it can only be done manually, then security updates must be performed using the standard 24/48/72 hour time table for high/medium/low risks.
Application Updates - Application updates not covered by normal OS updates should be automated if at all possible. When manual updates are required, security updates must be performed using the standard 24/48/72 hour time table for high/medium/low risks . For network-accessible applications (such as Wordpress, Drupal, DokuWiki, other web services, databases, etc) administrators should subscribe to announcement mailing lists so they are notified of new releases and apply security updates immediately.
Sensitive Data - No sensitive data is allowed on self-managed systems without approval of the Luddy Director of IT. This includes all sensitive data in the critical, restricted, and university-internal categories as defined by Management of Institutional Data (DM-01). Administrators must take necessary steps to insure that no sensitive data is stored on the system. If any sensitive data is ever discovered on the system, report it immediately to the Luddy ITG. For further information about the handling of classification of sensitive data, see the comprehensive Data Sharing and Handling page.
SSL/Encryption - All authentication must be done over secure channels to ensure that passphrases are never sent over the network in cleartext.
Anti-Virus Software - ITG-managed will have the required anti-virus software installed and it should not be removed or disabled. Self-managed systems must use anti-virus software, when available.
External Scans - All Luddy systems are subject to external vulnerability scans and the system administrator must commit to remediate all detected vulnerabilities.
Mobile Devices - All mobile devices must comply with IT-12.1 Mobile Device Security Standard which includes whole disk encryption for laptops and passcodes for phones and tablets.
Reporting - Any security breaches must be reported immediately per IT Policy: Incident Response
References
There are various IU computing policies and documents relevant to the setup and administration of self-managed systems, including the following:
- Classifications of Institutional Data
- Data Sharing and Handling tool
- IT-12 Security of Information Technology Resources
- IT-12.1 Mobile Device Security Standard
- IT-03 Eligibility to Use Information Technology Resources
Please see the University Policies listing of Information and IT policies for a complete list of IU IT policies.