Privileged Accounts at Georgia Southern

This standard outlines the requirements for privileged accounts at Georgia Southern. Privileged accounts are user accounts with elevated permissions that grant access to critical systems and data.


Account Creation and Request Process

Privileged accounts (PA accounts) will be created solely for IT Services employees who require elevated permissions to perform administrative tasks on critical systems and services.

Requests for PA accounts must be submitted through the Department Account/Resource Request form on the Accounts website. To request an account please visit the Accounts site and use the Dept Account/Resource Request form to request an account


Services Affected

Beginning July 8th, the PA account should be used instead of the users standard accounts when utilizing these systems/services

  • Executing Elevated Action on Workstations 
  • Executing Elevated Action on Servers
  • AD Audit
  • SCCM
  • Infoblox
  • ISE 
  • Infr Portal
  • Google Admin Workspace Console
  • Elastic Portal
  • Active Directory Domain Services
  • MyPrint 

As this is an ongoing project, more systems are to be added and integrated in the future.


Privileged Accounts Standards

  • Passwords, or use of the privileged account, must not be shared
  • Passwords must be changed immediately if compromised.
  • Passwords must be changed every 90 days
  • All privileged accounts should have MFA applied
  • Privileged access should utilize utilities that allow applications to run with elevated permissions, such as “sudo” on Unix/Linux or “runas” or User Account Control on Microsoft Windows systems
  • Access will be restricted, allowing only essential functions required for valid business needs or job requirements as approved by the appropriate data owner. 
  • Privileged access should not be used for day-to-day activities such as web browsing or reading email.
  • Privileged accounts that have not been used for 45 days will be automatically disabled.

Importance of Privileged Accounts

Privileged accounts play a vital role in protecting critical systems by granting users the necessary elevated permissions to perform administrative tasks. Here’s why utilizing privileged accounts is essential:

A standard user account can be used for everyday tasks like checking email and browsing the web, while a separate administrator account can be used for tasks that require elevated privileges, like installing software or configuring systems. This reduces the attack surface and the likelihood that an administrator’s credentials are compromised.

Separating administrative tasks from daily use accounts helps prevent accidental modifications or unauthorized access to critical systems. 

Tracking actions performed with a dedicated administrative account improves traceability. 

Using a separate account for administrative tasks mitigates the risk of malware or attackers elevating privileges from a compromised standard user account.

USG policy and industry standards strongly encourage the use of a secondary, privileged account to execute elevated tasks.


FAQ

How do I request a PA account?
To request an account please visit the Accounts site and use the Dept Account/Resource Request form to request an account
I have forgotten my password. How do I reset it?
To reset your password for Privileged Accounts go to my.georgiasouthern.edu and click ‘Forgot Password’.  In the Account Type, select Service Account and enter your username
How often do I need to change my password?

Privileged accounts are required to change passwords every 90 days.

Will I be required to use DUO MFA?
Yes, MFA will be required on all PA accounts
My Privileged Account does not have rights to do a task that is a function of my job.
If your privileged account cannot complete an essential task, please submit a myhelp support request with information about the issue and assign it to the IT-Identity queue. Make sure to include the system/service that you are unable to access.
 

References:

User accounts that have system-level privileges granted through group memberships or programs shall have a unique password from other accounts held by that user.

Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties.

Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.


Last updated: 7/3/2024