What Is It?
These guidelines outline the many do's and do not's of using special access accounts. Special access is defined as having the privilege and password to use domain administrator accounts or any account with elevated privileges.
Special Access Guidelines
The Montana Tech environment is very complex and dynamic. People with special access must develop the proper skill for using that access responsibly. The Special Access Guidelines have been developed to help people use their special access in a responsible and secure manner.
1.0 General Guidelines
Documentation provides a method to analyze what happened. In the future, others may want to know what was done to correct a certain problem. The Lead System Analyst, Subsystem Manager or resource owner is to be informed BEFORE any changes are made to system specific or configuration files.
1.1 Be aware of the Montana Tech environment.
The Montana Tech facility is a highly specialized facility containing a large number of computers of different configurations. Many daily system tasks have been automated by the use of software tools. Be aware of the “MONTANA TECH Way” of doing system tasks.
1.2 Always log on systems with the least privilege to perform the task.
1.3 Use special access only if necessary.
Many system tasks require the use of root or other special access. However, there are many tasks that can be done without the use of special access. When at all possible use regular accounts for trouble-shooting and investigating.
1.4 Document all major actions and/or inform appropriate people.
1.5 Have a backup plan in case something goes wrong.
Special access has a large potential for doing damage with just a few keystrokes. Develop a backup plan in case something goes wrong. You must be able to restore the system to its state before the error occurred.
1.6 Know whom to turn to if problems arise.
With the use of special access, situations arise that have never come up before. Although MONTANA TECH has many written procedures, they do not cover every circumstance possible. If any doubt exists about how you should proceed on a problem, then ask for assistance. Know whom to ask.
2.0 Specific Do not’s of Special Access
- Do not share special access passwords with anyone!
- Do not write down the special access passwords or the current algorithm.
- Do not routinely log onto a system, as “root” or any other special access account.
- Do not read or send personal mail, play games, read the net news or edit personal files using a special access account.
- Do not browse other user’s files, directories or E-mail using a special access account. Do not make a change on any system that is not directly related to your job duties.
- The Server Administrator/Computer Administrator is responsible for approving all changes to the systems(s) of his/her responsibility. No changes are to be made to any system configuration file or executable file without prior approval of this individual. Making a change AND then informing the Computer/Server Administrator is considered a violation of this guideline.
- Do not use special access to create temporary files or directories for your own personal use
3. Privacy of Clients Data/Information
This topic pertains to the privacy of client’s files and information stored on/in Montana Tech network servers, computers and resources. Sometimes during the normal course of their job, a member of the Montana Tech support staff will have a need to view a file belonging to another person. Some examples are: helping a client with a programming problem which requires access to the client’s source program; upgrading an old system to a new one, helping a client resolve an electronic mail problem which requires viewing part of the client’s mail message file. Whenever required to view a client’s file in the course of helping that client, the consent of the client must be first obtained or present. In the case of resolving an electronic mail problem, in which the message has been returned to the postmaster account, consent is also implied. In those cases where consent is given, support personnel must still abide by the following guidelines and focus troubleshooting to the issue at hand. However, in all cases the client must be advised that his/her file(s) must be viewed/accessed to assist them. When assisting Montana Tech clients, members of the Montana Tech Support Staff should use the following guidelines:
- Use and disclose the clients data/information only to the extent necessary to perform the work required to assist the client. Particular emphasis should be placed on restricting disclosure of the data/information to those persons who have a definite need for the data in order to perform their work in assisting the client.
- Do not reproduce the client’s data/information unless specifically permitted by the client.
- Refrain from disclosing a client’s data/information to third parties unless written consent is provided by the client.
- Return or deliver to the client, when requested, all data/information or copies to the client or someone they designate. Remove all uploaded information from a server utilized in support. Utilize an upload area that is protected from general view or access.
4. Proprietary Information
Due to the nature of computer support, there is a large potential for having proprietary information stored, at times, on/in Montana Tech network servers, computers and resources. Information that would be considered proprietary would be individual user information, individual mail, individual user documents – this is not inclusive – merely for example. Since members of the Montana Tech support staff will have enhanced access to the Montana Tech network systems and resources, they will potentially have access to proprietary information. Members of the Montana Tech support staff are responsible for ensuring that all proprietary information is protected from disclosure or modification. When dealing with proprietary information, members of the Montana Tech support staff should use the following guidelines:
- Ensure appropriate measures are in place for protecting proprietary information.
- Do not attempt to access proprietary information for which you have not been given authorization.
- Do not make copies of proprietary information unless specifically permitted by the owner of the information as matter of official standard operating procedure.
- Refrain from disclosing to third parties the types of proprietary information you can access.
5. Security Investigations
If during the course of their regular duties, a member of the Montana Tech support staff discovers evidence of a violation of the Acceptable Use Statement, he or she must notify the Vice-chancellor of Academic Affairs or the Chief Information Officer. If there is probable cause to believe a violation has occurred, additional investigation will be authorized. Members of the Montana Tech support staff should not begin an investigation of a client without receiving authorization from the proper person. If you are requested to participate in an investigation of a client, or you must view a client’s files (after receiving consent) during the normal course of your job duties, you must be careful not to disclose information about that client or the contents of the client’s files to other people. Information concerning the client should only be disclosed to the Chancellor, Vice Chancellors, their designee or to a law enforcement agency. It is also very important to keep a detailed record of all actions when investigating an allegation of improper use.
6. Summary of Guidelines
To summarize, please follow these guidelines: read and follow the Acceptable Use Statement of Montana Technological University. Do not inspect a client’s files without consent of the client or the proper authorization. Inform the proper person when you feel there is evidence of a possible violation. When performing an investigation on a client or system which involves viewing client’s private files/data/information, keep a detailed record of why the investigation was initiated and what actions you took.