Elevate Admin is an application to temporarily grant faculty & staff administrative level user account access on a local workstation, notify an IT unit, and document the elevated permission. Faculty & staff can use this application when currently logged-in as a non-administrative user to perform administrative tasks on the local computer.
This application was developed by Engineering Technical Services in the Fulton Schools to assist IT units with departmental compliance of the Information Security Office’s Privileged Accounts Standard, which assists in establishing acceptable practices that support ACD125 as it applies to accounts with privileged access.
How It Works
The Elevate Admin application is available in Software Center as “Configure PC: Enable Administrator Access” to approved individuals and departments in the Fulton Schools. Your department IT manager must setup each individual or department. Once setup you will see Elevate Admin in Software Center. You can find your IT manager on your department home page.
Note: Learn more about Software Center.
Upon being approved for use, Elevate Admin can be installed as needed through Software Center.
During installation the end user will be prompted to select a duration of time [thirty minutes or three hours] and provide a reason for the use. When run, the application will temporarily grant Administrative access on the local workstation. Access is then removed after the selected duration of time, a computer restart, or a computer shutdown. Depending on the duration selected the user will receive a pop-up notification [5-15 minutes] before the time expires, as well as a calendar appointment that is sent immediately via email to track the event.
Behind the Scenes
IT units are notified each time the application is used, providing them with details including who ran the application, on which computer, the reason for its use, and the date and time of run. The same information is stored in a SQL database which is used to generate auditing reports throughout the year.
In addition to notifications, all workstations to which the application has been made available are targeted with a compliance baseline. This baseline runs nightly and ensures no additional users have been granted administrative access by means outside of running the application. If found, the baseline will remove any user that may have been added directly to the local administrator and ignore those accounts and security groups that meet departmental whitelists.