Privileged Accounts at Georgia Southern
This standard outlines the requirements for privileged accounts at Georgia Southern. Privileged accounts are user accounts with elevated permissions that grant access to critical systems and data.
Account Creation and Request Process
Privileged accounts (PA accounts) will be created solely for IT Services employees who require elevated permissions to perform administrative tasks on critical systems and services.
Requests for PA accounts must be submitted through the Department Account/Resource Request form on the Accounts website. To request an account please visit the Accounts site and use the Dept Account/Resource Request form to request an account
Services Affected
Beginning July 8th, the PA account should be used instead of the users standard accounts when utilizing these systems/services
- Executing Elevated Action on Workstations
- Executing Elevated Action on Servers
- AD Audit
- SCCM
- Infoblox
- ISE
- Infr Portal
- Google Admin Workspace Console
- Elastic Portal
- Active Directory Domain Services
- MyPrint
As this is an ongoing project, more systems are to be added and integrated in the future.
Privileged Accounts Standards
- Passwords, or use of the privileged account, must not be shared
- Passwords must be changed immediately if compromised.
- Passwords must be changed every 90 days
- All privileged accounts should have MFA applied
- Privileged access should utilize utilities that allow applications to run with elevated permissions, such as “sudo” on Unix/Linux or “runas” or User Account Control on Microsoft Windows systems
- Access will be restricted, allowing only essential functions required for valid business needs or job requirements as approved by the appropriate data owner.
- Privileged access should not be used for day-to-day activities such as web browsing or reading email.
- Privileged accounts that have not been used for 45 days will be automatically disabled.
Importance of Privileged Accounts
Privileged accounts play a vital role in protecting critical systems by granting users the necessary elevated permissions to perform administrative tasks. Here’s why utilizing privileged accounts is essential:
Reduce Attack Surface:
A standard user account can be used for everyday tasks like checking email and browsing the web, while a separate administrator account can be used for tasks that require elevated privileges, like installing software or configuring systems. This reduces the attack surface and the likelihood that an administrator’s credentials are compromised.
Segregating duties:
Separating administrative tasks from daily use accounts helps prevent accidental modifications or unauthorized access to critical systems.
Auditing and accountability:
Tracking actions performed with a dedicated administrative account improves traceability.
Improved security posture:
Using a separate account for administrative tasks mitigates the risk of malware or attackers elevating privileges from a compromised standard user account.
Compliance requirements:
USG policy and industry standards strongly encourage the use of a secondary, privileged account to execute elevated tasks.
FAQ
How do I request a PA account?
I have forgotten my password. How do I reset it?
How often do I need to change my password?
Will I be required to use DUO MFA?
My Privileged Account does not have rights to do a task that is a function of my job.
References:
USG ITS Handbook, Section 5.12
User accounts that have system-level privileges granted through group memberships or programs shall have a unique password from other accounts held by that user.
NIST Cybersecurity Framework – PR.AC-4
Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties.
CIS CSC Top 20 Controls
Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.
Last updated: 7/3/2024