Computer Facilities Usage Agreement -- Privileged Access
NT Domain Administrative Privileges
Department of Computer Science -- University of Colorado

The purpose of this agreement is to maintain a secure computing environment for all users. CSops has the authority to disable logins immediately and take additional disciplinary action, including login termination, for failure to comply with this agreement. The department must be strict in these matters, because the integrity and security of its computing resources is critical for the research and instructional activities of the faculty, staff, and students.

1) Administration rights for NT machines is privileged access, this priviledge is to be used only for the purpose for which it was granted. Use of privileged access for any unauthorized purpose is expressly prohibited. This forbids activities such as accessing other users’ files or performing any system commands as a privileged user that are not necessary for conducting CU/CS related work or research. In responding to user questions, it is appropriate to access the data minimally necessary to resolve the problem.

2) Any account which has privileged access by virtue of administrator or special groups (staff, source, etc.) is considered a privileged account. All privileged accounts (this means yours since you are signing this) must be protected as follows:

- Password must be changed at least once per semester (2x/year) and immediately if guessed by a password cracker or seen by another person, even partially.

- Password must be sufficiently difficult to guess and must be different on non-cs machines (some sites do archive passwords used).

- Passwords must be completely different than Unix passwords.

- Information gained by privileged access is privileged and should not be given to any non-privileged user.

3) These facilities may only be used for lawful purposes. Use of privileged access for transmission of any material in violation of any US or state regulation is prohibited. This includes, but is not limited to: copyrighted material (unless authorized by the copyright holder), threatening material, or material protected by trade secret.

4) When users make changes to their machines, it becomes impossible for CSops to perform system upgrades, distributions, and regular maintenance, as we cannot predict how they will interact with unknown changes made outside of CSops. The only way we can effectively manage hundreds of machines (more than 350 hosts, and growing) with a comparatively small staff is by making things as homogeneous as possible, and ensuring that a machine’s *personality* is either logically separate from its generic components, or well documented.

Therefore,

All permanent state changes to a machine must be implemented by CSops, and users should not make any changes to the filesystem outside of their research group directories. This includes service paks and hot files. Installing softare can result in permanent state change, when in doubt, ASK FIRST; we have personnel available to answer your questions; mail trouble@cs.colorado.edu.

In cases of real EMERGENCY, a change may be made immediately. However, the change MUST be discussed with CSops as soon as possible, at which point it will be decided whether the change will remain.

In reality, CSops is held accountable for the security, functionality, and interoperability of a very large installation of computing resources. CSops cannot live up to this accountability without control over the changes to these resources. In the past we have tried the ’You break it, you fix it approach’. However, this has not worked because no matter how many times people are warned, when someone breaks something and they do not know how to fix it and in the end it becomes our responsibility.

5) This agreement is in addition to the agreement governing general use of accounts.

I understand and will abide by the above terms and conditions for use of these priviledges. If the propriety of any situation is unclear, I will ask for clarification from the CSOps committee rather than making assumptions. I understand that my administrative privileges may be revoked if the terms and conditions are not adhered to.

Login:        ____________________           CUID:  ____________ 

Printed name: ______________________________ Phone: ____________ 

Signature:    ______________________________ Date:  ____________

Unix System Administration Handbook	|  Linux Administration Handbook
FAQ  |  Errors  |  Goodies  |  Purchase  |  Register  |  Send Email
Hosting for admin.com provided by Applied Trust Engineering.