User Privilege Policy

Version: 1.00Issue Date: 11/4/2014

1.0 Overview

In order to properly protect the organization and those who do business with the organization, this User Privilege Policy provides for the restriction of user privileges to prevent and reduce security incidents.

This user privilege policy is an internal IT policy and defines the privileges various users on the organizational network are allowed to have, specifically defining what groups of users have privileges to install computer programs on their own or other systems. This policy defines the users who have access to and control of sensitive or regulated data.

This user privilege policy defines internet access to specific sites for some users or other ways they may or may not use their computer systems.

2.0 Purpose

This User Privilege Policy is designed to provide a secure environment by standardizing the privileges that users will have on their computers and the network.

This User Privilege Policy is designed to minimize risk to organizational resources and data by establishing the priviliges of users of data and equipment on the network to the minimim allowable while still allowing users to perform job functions without undue inconvenience.

3.0 Scope

This User Privilege Policy applies to all employees and personnel that use any computer equipment owned by the organization or equipment that operates on the network. Exclusions may be permitted for third parties that bring in equipment owned by other organizations so long as the mobile device policy or applicable policies are followed. Personnel includes contractors, consultants, and temporary employees. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Local Computer Privileges

There are three main categories of users on a computer or network. These categories include:

  • Restricted user - The standard user (restricted user) is the typical user in the organization who may or may not understand computer technology. The standard user has the ability to perform basic functions on a computer such as running standard programs such as Microsoft Office Suite, editing files, printing, and surfing the internet. The standard user has permissions that allow them to read, modify, change, and save files in their own profile or on the network drive which is assigned for their use. They can run pre-installed Windows programs, shut down their workstation, create and manage their own local groups. Standard users cannot run legacy applications because they require additional privileges to run. They cannot shut down servers.
  • Standard user (power user) - Power users are not common users in an organization. They have special job requirements that makes greater permissions than a standard user necessary. Power users have more permissions than a standard user but fewer permissions than an administrator. This allows them to perform any task except tasks that are reserved for the Administrators group. They can change many system settings and install programs that do not change Windows system files. Power users can run legacy applications. They can change printer settings and drivers, and change date, time, power options, and other Control Panel resources. They can create local groups and accounts and manage local accounts and groups that are not administrator accounts or groups.
  • Administrators - Administrators have complete control over the computer system by default. The Administrators group is provided to perform computer maintenance tasks. Only trusted personnel who understand computer technology should be members of this group. Administrators have complete access to read and write any data on the system and add or remove any programs or change system settings.

Legacy Definition

A legacy system is an old computer system or application program that continues to be used because the user (typically an organization) does not want to replace or redesign it.

Recommendations

The majority of users on most common networks should be restricted users on their local computers. Only users with special training or a need for additional access should be allowed to change system settings and install programs that are not operating system programs. This is because many viruses and adware or spyware may be installed in a subtle manner by tricking the user or the installation may be completely transparent to the computer user. If the user does not have the ability to install programs or change settings to a more vulnerable setting, most of these potential security problems can be prevented.

5.0 Other User Roles

There are several main user roles on Microsoft Windows systems which include the standard user, the restricted user, and other user roles which include:

  • Administrators
  • Backup Operators
  • Debugger Users
  • Guests
  • Help Services Group
  • Network Configuration Operators
  • Power or Super Users
  • Remote Desktop Users

6.0 Training and Justification

The standard user may be part of the standard user group and the restricted user is part of the users group. Most users will have and will normally operate as a restricted user as a member of the users group. This means that standard users and the majority of users will not be able to install software on their systems. Users that are allowed privileges above the restricted user must meet the following terms:

  • A written business justification must be provided based on the job position or the justification can be written into the business description.
  • The user must have security training in the use of computers and how to avoid viruses and other malware.
  • The user must take an annual test to demonstrate knowledge about phishing avoidance, how to avoid viruses and how they work, how to avoid getting malware using an internet browser and other security issues.

Only users that demonstrate a need and ability for power user or administrator access on local machines shall permitted to have this level of access. Upon demonstration of a special need for additional access, the IT manager must approve the access before it can be made effective. Groups that may be allowed this type of access include:

  • Domain Administrators
  • Help Desk personnel
  • Application developers for testing purposes who have known computer training or skills.

7.0 Network Privileges

Most network users will have access to the following types of network resources.

  • Email - Most users will have full access to their own email. They will not normally be able to transfer ownership to someone else without a business justification such as for reasons where help from an administrative assistant is required.
  • A personal network drive on a networked file server - This is a folder on a drive that only the primary user of this drive can read and write exclusive of domain administrators. The user will not be able to transfer ownership to someone else.
  • A shared group or organizational division's drive - This is a folder that members of specific groups or divisions in the organization may access. Access may be read or write and may vary by organizational requirements.
  • Access to databases - There may be additional databases that may be stored on a shared drive or on some other resource. Most databases will have a standard user level which gives users appropriate permissions to enter data and see report information. However only the database administrators will have full access to all resources on a database. Database administrators will only have full access to the database that they administer.

Groups that may be allowed additional access include:

  1. Backup operator - Allowed to read data on the domain for the purpose of saving files to backup media. This group cannot write all data on the domain.
  2. Account operator - Can manage and view information about user accounts on the domain.
  3. Server operator - Has full privileges on servers including reading and writing of data, installing programs, and changing settings.
  4. Domain administrator - Has full privileges on all computers in the domain including servers and workstations. Privileges include reading and writing data, installing programs, and changing settings.

8.0 Privileges

The privileges of the restricted user shall not allow the restricted user to:

  • Install software on their computer.
  • Change the system clock time other than changing daylight time settings.
  • Create or manage user accounts on the system.
  • Share directories or files.

9.0 Enforcement

Since data security and integrity along with resource protection is critical to the operation of the organization, employees that do not adhere to this policy may be subject to disciplinary action up to and including dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

Note:
This policy should be more specific and refined based on the needs of your organization. In some cases server operators will have full access on some servers but not others. Help desk personnel may have full access on some local computers but not in all groups in your organization.

Approval

Approved by:__________________________ Signature:_____________________ Date:_______________