Controlled Access of Admin Rights FAQ

Local administration rights (username_a accounts) on Mines-issued computers increase the risk of unknowingly installing harmful applications and infecting Mines.  This security concern is highlighted by the increase of malware and ransomware attacks enabled through local admin rights – according to the 2023 Microsoft Vulnerabilities Report, from 2015 to 2020, simply removing administrative privileges could have mitigated 75 percent of all critical Microsoft vulnerabilities. [Read more in the IT Blog]

Contents of Questions (Answers Below):

• Why are my admin rights being removed?
• When are my admin rights being removed?
• What changes should I expect when admin rights are removed? What steps should I take to prepare for this change?
• Is my _a account going away?
• Do I need admin rights to use Task Manager?
• What do I do if I believe my job requires me to have Admin Rights?
• What about installing drivers for devices at home, such as printers?
• How do I request to have software installed or updated without admin rights?
• How can I install approved software myself?
• How can I request additional software be added to self-service?
• What if an approved software is not available for self-install?
• What if my software has not been approved or purchased yet?
• Does anything change for software I already have installed on my device? 
• What is not in scope for this project?

Controlled Access of Admin Rights: Answers to Frequently Asked Questions (FAQs)

• Why are my admin rights being removed?
  • Cyber breaches pose an immediate and significant threat to organizations. According to Forbes, "Cyberattacks pose 'Existential Risk' to Colleges". One best practice that Mines can implement to reduce this risk is to limit the use of local admin rights. The objective is to ensure that the right person has the right access to the right resource for the right reason at the right time. Please refer to this CIO Blog for more information - CIO Blog - Removal/Controlled Use of Local Admin Rights.
• When are my admin rights being removed?
  • IT: Tuesday, October 31, 2023
  • FA&O: Friday, November 10, 2023
  • Campus-wide: Wednesday, January 17, 2024
• What changes should I expect when admin rights are removed? What steps should I take to prepare for this change?
  • You should not experience any changes in your day-to-day work. If you do require local admin rights to install or run a specific software or driver, you can call the Service Desk as 303-278-HELP (4357) or submit a TDX ticket Administrative Privilege Request.   
• Is my _a account going away?
  • No, the _a account is just another username.  The permissions on the _a account will be "demoted", meaning that it will no longer have administrator rights.
  • Where possible, please use your regular username as the _a suffixes will not be used going forward.  An effort to clean-up _a accounts and transition usage to your regular username will happen at a future time.
  • If you are granted administrator rights via MakeMeAdmin, this will be applied to your regular username, not the _a
• Do I need admin rights to use Task Manager?
  • You do not need admin rights to use Task Manager. You may use you "normal" username and password.
• What do I do if I believe my job requires me to have Admin rights?
  • Mines offers the assignment and use of admin rights to Mines technology resources on a case-by-case basis, contingent upon the assigned privileges being verifiable as a requirement of the requestor's ability to perform their assigned duties. A TDX service has been created to request admin rights at Administrative Privilege Request. Requestors will need to fill out and sign the Acceptable Privileged Use form, have their manager sign the form, and attach it to the ticket submission. By completing the form, users agree to and comply with the terms and conditions outlined in this document. Upon submission, the ticket will go to the IT Service Desk and then to the security team for review, approval, and escalation if necessary.
  • If approved, you will be given the application, MakeMeAdmin, on your device. This will allow you to grant yourself Admin Access when you need it.
    • *Approvals will be reviewed annually.
• What about installing drivers for devices at home, such as printers?
  • You can call the Service Desk at 303-278-HELP (4357) or submit a TDX ticket Software Installation. If the driver manufacturer is on the approved vendor list, the Service Desk will be able to remote into your device and install the driver. The Service Desk will install the driver directly from the manufacturer’s website. If the driver manufacturer is not on the pre-approved list, the Service Desk will have the Security and Compliance teams review the manufacturer and driver for privacy, compliance, and security, and approve to have the vendor be on the approved vendor list. The requestor can then contact the Service Desk to install the driver. This request will take up to 7 business days to complete.
• How do I request to have software installed or updated without admin rights?
  • You can call the Service Desk at 303-278-HELP (4357) or submit a TDX ticket Software Installation. If the software is on the approved software list, the Service Desk will be able to remote into your device and perform the installation or update. The Service Desk will install the software directly from the vendor’s website. If the software is not on the pre-approved list, the software will need to be reviewed. The requester can then contact the Service Desk to install the driver. 
• Some approved software titles can be self-installed through the appropriate App Store on your device:
  • Mac - Look for this program: 

Open a finder window in the bottom left of your desktop > Browse to Applications folder > Click on the Mines Self Service application and log in > Choose the application you would like to install > Click Install

• Windows - Look for this program:

Click the Start button in the bottom left of your desktop > Type "Software Center" > Click on the Software Center application > Choose the application you would like to install > Click Install

• How can I request additional software be added to self-service?
  • You do not need to specifically request application be added to self-service.  Applications will be prioritized and added as requests are made.
  • If you would like to request an application be added, please indicate so during your application request.
• If the software is approved and not available via self-install in the Mines Self Service or the Software Center:
  • Call our IT Service Desk at 303-278-HELP (4357) for on-demand support. Our team will remotely log-in and time-allowing, install the software with you.
  • You can also submit a Software Installation request so the Service Desk can arrange a convenient time for you to perform the installation remotely.
• If the software is not approved or purchased yet:
  • Please submit a Software Review ticket or call our Service Desk for support with this process.
• Does anything change for software I already have installed on my device?
  • No, existing software on Mines owned and managed devices are not impacted.
• What is not in scope for change?
  • The following are not in scope to have admin rights controlled in this phase and will be addressed in the future:
    • Linux devices
    • High Performance Computing (HPC) changes
    • Servers
    • Guest devices
    • Devices that are not Mines owned & Mines IT managed
    • Chromebooks