Administrator access and self-managed systems

About this policy

Policy contact:

Mark Napier

Date of last update:

April 30, 2021


Approval Process

Please note that running an alternate, unsupported operating system (eg. Ubuntu) in a virtual machine on one of our Luddy-managed systems is fully supported and we can set that up for you with no special approvals needed. See Running a Virtual Machine on Linux or Windows for additional details or contact the ITG for additional details for other platforms.

Storing or manipulating sensitive data classified as restricted or critical is prohibited on self-managed systems without the explicit approval of the Luddy Director of IT. Further information is available regarding the classifications of sensitive data as well as via the comprehensive Data Sharing and Handling tool.

If you want administrator access to an ITG-managed system or a self-managed system, please submit the approval request form:

Request For Administrative Privileges

Submitted requests will be evaluated and you will receive notification of approval or rejection.

Once a request is approved by the sponsoring faculty (for non-faculty) and the Luddy Chief Information Privacy and Security Officer the appropriate permissions will be granted.


These permissions will be documented via the help desk ticket and hardware database. Notes will be added to the comments section of the corresponding hardware database using the #admin and #self-manged tags and the help desk ticket number documenting the approval will be added to the database entry. This is done as follows:

  1. Add a tag like "#admin username" or "#self-manged username" to the comments section for the database entry, where username is the IU username of the user who was granted administrator rights
  2. Add the help desk ticket number to the"Help Desk Issue #" field in the hardware database.


Verification of self-managed system configuration will be performed to ensure that the open services match those noted in the submitted Administrative Privilege request form. The Qualys security scanner will be used to detect vulnerabilities and ITG staff and the administrative user will be required to resolve all reported problems.

Administration Requirements

If you are installing Ubuntu Linux, we encourage you to follow the steps in the KB page Securing Ubuntu Linux in the IU Environment

The administration of the system must follow IU policy IT-12 Security of Information Technology Resources as well as Luddy policies including IT Policy: Workstation Security and IT Policy: Mobile Device Security. Below is a summary of the key requirements all system must follow to be in compliance with IU and Luddy policy:

Admin Access - Normal day-to-day usage of the system must be done using non-privileged accounts. When elevated privileges are needed, dedicated admin accounts or sudo must be used. Do not elevate your normal account to have administrative privileges.

Firewall - A host based firewall (eg linux iptables or Windows firewall) must be used to limit open port to only those explicitly required. ITG-managed systems will have this enabled by default and you must not disable it.

Passphrases - All accounts must have passphrases that meet the IU Passphrase Requirements. ITG-managed systems will use normal IU passphrases and that must not be changed.

Accounts - Accounts on ITG-managed systems should not be created without Luddy approval. On self-managed systems, accounts should be given to each individual needing access. The use of shared group or guest accounts is not permitted without Luddy approval.

OS Updates - ITG-managed systems will be configured to receive OS updates automatically and this should not be disabled. Self-managed systems must be running an operating system that is currently supported by the OS provider and actively receiving security patches. The system must be configured such that security updates are automatically applied. If this is not possible, and it can only be done manually, then security updates must be performed using the standard 24/48/72 hour time table for high/medium/low risks.

Application Updates - Application updates not covered by normal OS updates should be automated if at all possible. When manual updates are required, security updates must be performed using the standard 24/48/72 hour time table for high/medium/low risks . For network-accessible applications (such as Wordpress, Drupal, DokuWiki, other web services, databases, etc) administrators should subscribe to announcement mailing lists so they are notified of new releases and apply security updates immediately.

Sensitive Data - No sensitive data is allowed on self-managed systems without approval of the Luddy Director of IT. This includes all sensitive data in the critical, restricted, and university-internal categories as defined by Management of Institutional Data (DM-01). Administrators must take necessary steps to insure that no sensitive data is stored on the system. If any sensitive data is ever discovered on the system, report it immediately to the Luddy ITG. For further information about the handling of classification of sensitive data, see the comprehensive Data Sharing and Handling page.

SSL/Encryption - All authentication must be done over secure channels to ensure that passphrases are never sent over the network in cleartext.

Anti-Virus Software - ITG-managed will have the required anti-virus software installed and it should not be removed or disabled. Self-managed systems must use anti-virus software, when available.

External Scans - All Luddy systems are subject to external vulnerability scans and the system administrator must commit to remediate all detected vulnerabilities.

Mobile Devices - All mobile devices must comply with IT-12.1 Mobile Device Security Standard which includes whole disk encryption for laptops and passcodes for phones and tablets.

Reporting - Any security breaches must be reported immediately per IT Policy: Incident Response


There are various IU computing policies and documents relevant to the setup and administration of self-managed systems, including the following:

Please see the University Policies listing of Information and IT policies for a complete list of IU IT policies.