Administrative Departmental Policy
This department-specific policy applies to the operations and staff of the Information Services
Department of the University of Wisconsin Hospitals and Clinics Authority as integrated effective July 1,
Policy Title: UWH Elevated Privileges
Policy Number: SE-POL-005
Effective Date: 12/20/17
This policy defines elevated privileges (EP) and provides a model for granting of EP to Users for
performing tasks requiring the use of these privileges.
This policy applies to all UWHC, UWMF, UW-Madison Affiliated Covered Entity employees or
other employees, contractors, students, and affiliates (Users).
EP is granted under the concept of least privilege, meaning the level of privileges granted to
each member of a team is limited to only those privileges necessary for team members to fulfill
their assigned tasks.
This policy is applicable to any system utilized within the UW Health network infrastructure and
any UW Madison owned system that is interconnected with UW Health or for which a legal or
technical trust relationship exists.
Elevated Privileges: Elevated privileges (EP) are granted to individuals in the course of their job
duties so they can perform computing functions that cannot be performed with the ordinary
privileges granted to employees for routine computing tasks. Most users are generally not
authorized to perform these additional computing functions. Examples of computing functions
requiring EP are:
• Locally administering a device, workstation, or server.
• Administering network equipment, such as firewalls, routers, and switches.
• Creating and administering directory system components.
• Creating and administering databases.
• Creating and assigning privileges to user accounts.
• Creating security permission policies.
• Installing/Uninstalling software on corporate devices.
Service Account: A service account is an enabled user account created for a specific service,
application, database, or process which will use the password credentials of the account to login
and perform actions within a server, directory, or network. Service accounts are used only for
processes or services where it would not be feasible or appropriate to use a personal account.
Users are not allowed to log in using a service account when the use of their own credentials is
feasible and appropriate.
Citrix Access Gateway: The Citrix Access Gateway (CAG) is a secure data access application that
provides administrators granular application- and data-level control while allowing users to
access computing systems remotely from anywhere. It gives IS administrators a single portal to
control access and limit actions based on both user identity and the endpoint device. This
provides better application security, data protection, and compliance.
Virtual Private Network: A virtual private network (VPN) provides access to a private network
across a public network, such as the Internet, to provide remote offices or individual users with
secure access to their organization's private network. It allows a computer to send and receive
data across a shared or public network as if it were connected directly to the private network,
while benefiting from the functionality, security, and management policies of the private
Remote Desktop Protocol: Remote Desktop Protocol (RDP) is a proprietary protocol developed
by Microsoft that provides a user with a graphical user interface (GUI) to connect to another
computer via a network connection. RDP is encrypted. All versions of the Windows program
include an installed remote desktop connection (RDC) client that provides a remote display and
input capabilities over network connections for Windows-based applications running on a server
vSphere: vSphere is a server virtualization platform from VMware. Server virtualization reduces
costly infrastructure sprawl, allowing a user to run multiple operating systems and applications
on a single computer. This improves productivity by reducing the number of physical servers,
each operating at full computing capacity.
VNC: Virtual Network Computing (VNC) is software that can display the screen of another
computer on a user’s own computer screen, via a network connection. The program allows a
user to control the other PC remotely with a mouse and keyboard.
Bomgar: Bomgar enables a user to remotely access and fix nearly any device, running any
platform, located anywhere in the world. Bomgar users can control multiple systems, chat with
multiple end-users, and collaborate with others in the field to fix problems faster. Unlike older
point-to-point remote access tools and cloud-based solutions, Bomgar routes all activity through
a secure appliance that sits behind a firewall.
Secure Shell: Secure Shell (SSH) is a computer application used to log into another computer
over a network, and to run commands on the remote machine. SSH is very similar to Telnet,
except that SSH uses encryption to keep the connection secure. Thus, it is more difficult for
hackers to spy on users’ passwords or other sensitive information.
Server Team: The Server Team consists of UW Health Server Team members, and may include
Server Team staff from UW Madison departments that are matrixed to the UW Health Server
IV. POLICY ELEMENTS
Accessing computer systems with EP increases the risk of security incidents and unintended
changes to system configurations. The purpose of this policy is to restrict EP based on job duties,
in order to limit the potential risks, both intended and accidental. This policy will establish
uniform principles of best practice for tasks involving EP.
Exceptions to this policy must be vetted through the UW Health IS Director of Security, using
this policy and least privileges as guides. When the request involves a non-UW Health user, the
Chief Information Security Officer (CISO) of that staff person’s organization will be consulted.
The UW Health Security Team will conduct a full audit of EP accounts on annual basis, and
random audits as necessary.
Legacy procedures identified by the IS Security Consultants that do not conform to this policy
will be brought into compliance through a documented remediation plan, or an exception
documented. The Office of the CIO or IS Governance Groups will have jurisdiction over adequacy
of remediation plans.
A. General Rules for EP Access
1. Routine tasks that do not require EP, such as web browsing and email, must be
completed using non-EP accounts.
2. EP accounts do not receive remote access privileges. When external to the UW Health
network, users must use their non-EP accounts to log into a remote access gateway,
such as Citrix Access Gateway (CAG) or VPN. Use of EP credentials external to the UW
Health network is strictly forbidden.
3. Administrative tasks on systems, including virtualized environments, require EP. See
addendum for approved tools. Requests for additional tools should be submitted
through the UW Health IS New Technology Request process.
4. All file system shares (including but not limited to Microsoft) must be created by the
Server Team, regardless of who supports or manages the server, and they may not be
created by a non-Server Team individual with an EP account. Note that provisioning of
access to resources must adhere to the principle of separation of duties.
5. Permissions should not be manually assigned to individual directory user or computer
account shares or file systems, such as NTFS, security on servers or PCs without the use
of a custom-built directory security group.
6. Permissions should not be assigned (even via group) to files.
7. Assigning directory accounts local permissions is not permitted.
8. Individual local user accounts or groups on either servers or PC are not permitted. This
a. The creation is executed by a software install.
b. The creation is performed by the Server Team/EUTS for standard administration
9. If a medical device requires administrator access, contact the Security Consultants team
10. It is not allowed to manually assign local administrator access to individual local user
accounts or groups on servers or PCs (including the assignment of a local account from
one PC to the local Administrators group on another PC), unless the configuration is
performed automatically via a software install.
11. Installation and updates to software on servers, workstations and devices requires EP.
a. A request for software installation privileges is evaluated for business need and
is potentially limited based on job function.
b. Only approved software delivery installation systems, such as Altiris, should be
used to perform software installs and uninstalls whenever possible.
c. Non-automated software installs and uninstalls must be performed on the local
PC (use of remote viewing/control applications for this purpose is acceptable),
not streamed remotely over the network.
d. Reasonable effort must be made to notify users before remotely accessing the
e. Software installation on a non-server device should be performed using the Run
As command whenever possible. When not possible, it is permissible to log in
using EP credentials or other processes as long as the credentials are cleared
with an immediate reboot.
12. Systems or applications accessed with EP credentials must be logged out of or closed at
the end of every session. This is specific to the use of EP credentials only.
13. Use of EP accounts is logged, monitored, and audited.
14. Staff members who receive EP accounts are responsible for the management of their
credentials used to access computer systems on the UW Health network. The policy for
EP accounts is more stringent than for non-EP accounts per the UW Health
Authentication and Password Policy 1.53.
15. As a matter of best practice, users must not set their non-EP account passwords to
match their EP account passwords.
B. Requirements for EP Access
1. It is recognized that on systems added to a directory (such as those running Microsoft
Windows) separate EP credentials are required to perform administrative tasks, while
on systems technologically unable to be added to a directory, EP are granted directly to
the user’s non-EP account via a privilege escalation utility such as sudo. How EP are
granted and implemented will differ on each of these types of systems.
a. On directory based systems, EP accounts are assigned by Systems Security and
are issued within the appropriate directory via a secondary user account (login
ID) for each user approved.
b. On non-directory based systems, EP access is granted granularly to the user’s
local EP account and is restricted to specific, targeted data, applications or
commands. Changes to the sudo (or equivalent) configuration file defining EP
access on the system must be approved and documented by the UW Health IS
Security Consultants Team.
c. On medical devices or appliances that have locked down setup and/or security,
where it prevents unique login accounts, the use of the required generic login
can only be used on the system console. These credentials should not be used
for any other system or remote access.
2. The use of EP, whether by logging into an EP account or by executing a privilege
escalation utility such as sudo, should be limited to its expressly designated purpose. EP
should not be used to engage in auxiliary activities, such as accessing email or the
Internet, except when such access is directly related to administering that activity and
has been sanctioned as such by the UW Health IS Security Consultants Team. For
example, the UW Health IS Security Consultants Team may allow email administrators to
log into email accounts to perform maintenance actions on those accounts.
3. Direct supervisor is required to request any additions, changes, and revocations to EP
accounts above and beyond those designated in the standard EP assignments appendix.
4. EP-related requests are submitted through the Computer Systems Authorization
Request Form via the normal ticketing system.
Requests for exceptions should be initiated through the normal ticketing system. Justification
for change or exception should be submitted with the ticket.
VI. FORMS (optional)
a. Computer Systems Authorization Request Forms
b. Group Authorization Form
VII. REFERENCES (optional)
UW Health Authentication and Password Policy
Sr. Management Sponsor: UW Health IS CTO
Author: UW Health IS Senior Systems Security Consultants
Reviewer(s): UW Health IS Directors and UWHC Internal Auditor
Approval Committee: UW Health IS Directors
UW Health CIO
Effective Date Next Review Summary of Changes Change Authors
12/20/2017 12/20/2020 Original release. E. Gerke and L. Barman