How Do I Get Admin Rights?
Administrator privilege on a computer is by logging in to the standard admin account, ccadmin. While the account is standard the password is different for every computer and is changed periodically. Administrator privilege is then granted by means of revealing the current ccadmin password for a specific computer.
Requesting Access
Access to the ccadmin password is managed on a per-user and per-computer basis. That is, a user must request access for every system that they need to have administrator privileges on. Each system is a separate request, they cannot be combined into a single request. The requests are managed by Docflow.
The form enumerates requirements for how administrator access may be used, has a field for the system for which administrator privileges are being requested and for the requestor’s manager. Note that the system must be registered in netdb, the name is usually in a white label on the computer. If it is not then the form cannot be submitted. There is also a field for explaining why administrator privileges are being requested. While there is no set reason or reasons for which the request will be granted some business, academic or operational need must be identified.
Submitting the form sends an email notification to the identified manager who must approve the request which then directs it to the IT Security group for review and final approval after which an email notice is sent to the submitter.
At any time during the request process the current status can be viewed by going to the docflow My Documents page.
Using Administrator Access
As previously mentioned, administrator privileges are gated by access to the ccadmin password. This access is managed via LAPS. With the password it is possible to login to the computer as the ccadmin user, but often it is better to utilize the Windows “Run As” feature. For full instructions on how to use LAPS click here.
But Why Can’t I Just Have Admin Rights?
If a bad actor manages to gain access to a computer they will have the access of the logged in user. If that user has administrator privileges then the bad actor also has them which removes all meaningful barriers to what damage they can do. To minimize the damage that can be done the University is following the National Institute of Standards and Technology recommendations regarding least privilege.
There is a prevalent belief that malware comes from “bad sites” or malicious emails and that it can be avoided by simply avoiding “the darker parts of the web.” While it is certainly true that malicious emails are a threat a lot of malware is spread by compromising innocuous, or even trusted, sites. Another practice is to manipulate search engine results — a member of the S&T community was directed to malware when they searched for Missouri adoption laws and rules. This was not an explicitly targeted attack, it is just a reflection of how large scale such attacks are.
Its impossible to use the web risk free which is why it is imperative that the potential damage is minimized. A compromise of an S&T computer can lead to the compromise of the entire University network and if the compromise starts with a user having administrator privileges it is just that much easier to do.
But I Don’t Use Windows!
While it is certainly true that the majority of attacks target Windows computers bad actors are well aware of macOS and linux. Not only is there crossplatform malware (meaning it will work on any platform) there are also examples of malware dedicated to non-Windows platforms, even iPhones. It is important to avoid a false sense of security and avoiding administrator privileges is a good step regardless of platform.