College of Engineering - Least User Privilege Policy: COE–LUP–01

1.0 Purpose
This policy provides guidelines for appropriate user account privilege settings used during normal computer operations.

Computer security is the primary driving force behind this policy. In recent years the hackers have significantly increased their ability to compromise systems, making these systems participants in illicit activities or resulting in them being vulnerable to harvesting of institutional data or intellectual property. The majority of daily business related computer operations do not require administrator (privileged) account access because few individuals need to install or update applications every day.  Most programs (of particular concern are web browsers) run at the same privilege level as the active user account.  Even a well maintained system may be vulnerable to recently developed attacks.  If the program is running with administrative level permissions, the compromise potentially has unfettered access to all system files and system resources.

2.0 Scope
This policy covers all systems connecting to College of Engineering networking resources, systems owned by the College of Engineering or systems accessing and/or storing College or University owned data.

3.0 Policy
To comply with this policy, users of computer systems must:

  • Ensure that the account used for normal login and computer operation runs at the lowest privilege setting that still permits regular tasks to be accomplished, and does NOT have administrative level privileges on that system.
  • Users who have a legitimate need for occasional utilization of administrative access to a system must ensure that any utilization of an administrative level account or privilege escalation software be limited to system maintenance activities or software installation, and then only when elevated account rights are absolutely necessary to accomplish the task at hand.

4.0 Enforcement
Violation of this policy may result in termination of network access.  Furthermore, any employee found to have violated this policy may be subject to disciplinary action by their Administrative unit, the College, or the University.

5.0 Definitions



Administrative Level Privileges

The highest level of permission that can be granted to a computer user. This level of permission normally allows the user to install software, manage the system, and change configuration settings.

Privilege escalation software

A program that elevates the privilege level of a program or group of programs above that of the user.

6.0 Revision History

Last updated:  9/10/2009


Back to top

Networking, Computing and Training Services (NCTS)