Security
-
Per the TAMUS use of System resources policy and TTI rules of behavior, users must not intentionally access material that the Agency may deem to be offensive, indecent, or obscene. To enforce this policy, Network & Information Systems has employed Cisco Umbrella, a network security and web filtering service, to provide a level of security and protection against websites that host malicious code, phishing holes, and offensive content. We recognize that, in the course of academic research, there may be a necessity to access material on the Internet that has been categorized as offensive. Should a researcher find that a website being accessed for a legitimate purpose is being blocked, and this aspect of the research has explicit approval from the appropriate authority per the Agency’s official processes for dealing with academic ethical issues, the researcher may request an exemption of the content filtering policy through the Information Security Office. To request such an exemption, when you are presented with a blocked domain message in your web browser, click the link to request an exemption and provide an explanation of the purpose for accessing the blocked site in the message field. The request will be routed to the Information Security Office to begin the exemption request process. …
-
*As of now, Texas A&M NetID and Texas A&M System UIN logins will still use Duo, so it is important that you not delete the Duo app from your phone if you need access to those portals. Additionally, the VPN and server logins will continue to use Duo for the MFA push until we have finished moving everyone in the agency to Microsoft Authenticator. Please do not delete the Duo app from your phone after completing your new MFA registration. NIS will make an official announcement when Duo is no longer needed. Here is a quick video walkthrough of the setup process. For more detailed instructions, see the steps below. Below are the steps to go through the manual setup for Microsoft Authenticator on your phone: To set up the Microsoft Authenticator app Sign in to your work or school account and then go to your My Account portal or visit https://aka.ms/mfasetup Select Security info in the left menu or by using the link in the Security info pane. Then, select Add method in the Security info pane. On the Add a Method page, select Authenticator app from the list, and then select Add. On the Start by getting the app page, select Download now to download and install the Microsoft Authenticator app on your mobile device, and then select Next. For more information about how to download and install the app, see Download and Install the Microsoft Authenticator app. Remain on the Set up your account page on your browser while you set up the Microsoft Authenticator app on your mobile device. Open the Microsoft Authenticator app, and select to allow notifications (if you do not allow notifications, you will need to manually check for MFA notifications when you log in). Note: The first time you set up the Microsoft Authenticator app, you might receive a prompt asking whether to allow the app to access your camera (iOS) or to allow the app to take pictures and record video (Android). You must select Allow so the authenticator app can access your camera to take a picture of the QR code in the next step. If you don't allow the camera, you can still set up the authenticator app, but you'll need to add the code information manually. For information about how to add the code manually, see Manually Add an account to the app. Return to the Set up Your Account page on your computer, and then select Next. The Scan the QR code page appears. Scan the provided code with the Microsoft Authenticator app, which appeared on your mobile device after you created your work or school account. Select Next on the Scan the QR code page on your browser. A notification is sent to the Microsoft Authenticator app on your mobile device, to test your account. Approve the notification in the Microsoft Authenticator app by typing the corresponding number shown after entering your password, and then select Next. Your security info is now updated to use the Microsoft Authenticator app by default to verify your logins. The authenticator app should successfully add your work or school account without requiring any additional information from you. However, if the QR code reader can't read the code, you can select Can't scan the QR code and manually enter the code and URL into the Microsoft Authenticator app. For more information about manually adding a code, see Manually Add an account to the app. …
-
*As of now, Texas A&M NetID and Texas A&M System UIN logins will still use Duo, so it is important that you not delete the Duo app from your phone if you need access to those portals. Additionally, the VPN and server logins will continue to use Duo for the MFA push until we have finished moving everyone in the agency to Microsoft Authenticator. Please do not delete the Duo app from your phone after completing your new MFA registration. NIS will make an official announcement when Duo is no longer needed. Sign in to your work or school account and then go to your My Account portal or visit https://aka.ms/mfasetup and click "Update Info" under the Security Info section: Then, select Add method in the Security info pane. Before setting up your YubiKey your account must first have at minimum one other authentication method besides the key. This other method serves as a recovery or alternate verification method in case you lose or do not have your key with you. If you are not using Microsoft Authenticator, you can have Microsoft either text or call you instead. On the Add a Method page, select Phone from the list, and then select Add. On the Phone page, type the phone number of either your office or mobile phone, choose either Call me or Text me a code, and then select Next. You will then receive a phone call with instructions to verify your phone number or it will ask you to type a code that it sent to you via text message. After you have verified your phone number you can setup your YubiKey. On the Add a Method page, select Security Key from the list, and then select Add. You will be asked to sign in again before registering your new security key. After signing in again, you will be shown prompts to help walk through adding the security key. You will select USB device for the type of security key you have. Please read the instructions carefully and select next when ready. You will now need to plug in your security key before proceeding. Again, you will need to select Security key and click next. You will be shown prompts detailing what account will be added to the security key, and the details what is being stored on the key. Click OK to proceed. You will be prompted to create a PIN for the security key. This is a manadatory feature that cannot be skipped. Please create a memorable PIN of at least 6 characters (both letters and numbers). After creating the PIN, you will be asked to activate your security key by touching it. There is a gold sensor with a green LED light that should be blinking, simply touch the blinking light to proceed. *This is how you will activate your key to log in* You have now successfully added your security key to your TTI account. Next you'll be asked to name your security key before finishing. You should now see the security key listed under your devices If you have any questions or need assistance managing your security key or other multifactor authentication methods, please contact NIS. …
-
Beginning May 31st 2024 a new PIN criteria policy will become the agency standard. Below are the new criteria and a walkthrough of the steps needed to update your PIN if required. Windows Hello PIN Requirements: minimum length 8 characters lowercase, uppercase, numbers, and special characters are all allowed no expiration When you select to log in with your PIN, you will be notified that your organization requires you to change your PIN (if your current criteria does not meet requirements). You can see the PIN requirements by clicking the button highlighted in the picture below. After updating your PIN, you will be able to proceed with logging in. …
-
About Admin by Request (ABR) Admin by Request is installed on all TTI workstations and is enabled by default for all TTI users. This use includes the two primary methods detailed in this article: Run as Admin and Requesting Admin Session. Using these features does not require any special access or group membership. The Run as Admin feature allows you to run individual apps without needing a timed session that must be renewed and should be the most commonly used feature. Those applications should be automatically approved for elevation. Less commonly used applications may not be automatically approved and sent to NIS for a brief approval process. Similarly, Requesting Admin Session access will require a brief review and approval by NIS, so we encourage trying to run an application as administrator before trying to request an admin session. If you believe that you will need enhanced and more frequent access to run applications as administrator for more than occasional access, please complete this form for review by NIS Security and Compliance: Administrative Access Request : TTI Help Desk. If approved, this will grant access to run applications and admin sessions without the need for review by NIS. This form will need to be renewed each year and is required for reporting to the State of Texas. We highly encourage the use of the two primary methods for ABR use before requesting enhanced administrative access. Once installed, Admin by Request runs in the background for as long as the endpoint is powered-on. Selecting the app from the tool tray (or launching from the desktop if the shortcut is installed) launches the user interface, which comprises a simple window with five buttons down the left-hand side: The default panel is About Admin By Request, which is accessed via the top button. It shows the current workstation edition, license details, website link, and copyright information. Click the About button to get back to this panel if viewing one of the other panels. Requests are typically reviewed and approved within 15-30 minutes. However, please allow up to 1-2 hours for review of requests and applications that are not automatically approved. Using Run as Admin Run As Admin (also known as App Elevation) allows for the elevation of a single application. This capability negates the need for users to initiate an Admin Session. Elevating privileges for execution of a single file is the much safer option compared to elevating the user’s privileges across the endpoint. A standard user executing a program that requires elevated privileges to install initiates the following sequence of events. Download the file for installation. Start the installation by right-clicking and selecting Run as Administrator: Admin By Request suspends installation and asks for phone, email, and optional reason. Enter these details and click OK to continue: A notification now advises that the request for approval has been sent: When the request is approved, a further notification advises the request has been approved: Now the installer has the elevated privileges required to run - click Yes to start authorized installation with elevated privileges. The elevated privileges last only for the duration of the installation and apply only to the specific application or package authorized. Requesting Administrator Access (Admin Session) Administrator Access (also known as Session Elevation) allows for elevated privileges system-wide for a predefined amount of time (session duration). Any user given full session elevation gets full local admin rights on their system. Full session elevation mode is ideal for situations such as when elevated access to ‘system’ resources such as drivers or printers etc. is required, when a user needs elevation only for a specific amount of time, or when a Developer requires the use of multiple elevated applications. Requesting administrator access is also known as requesting an Admin Session, which is a time-bound period during which a standard user has elevated privileges and can carry out administrator-level tasks. As with About Admin by Request, users can double-click the Admin by Request desktop icon, or select the icon from tray tools to display the menu and select Request administrator access: Submitting a request for administrator access is the primary mechanism for gaining elevated privileges. A standard user making this selection where approval is required initiates the following sequence of events. A request Administrator Access form appears: Please enter your TTI email, phone and reason information into the form and click OK The request is submitted to NIS for review: The IT administration team is notified via the Admin by Request portal that a new request for administrator access has arrived. The following example shows how two new requests might appear in the portal: One of the team either approves or denies the request. If approved, the user is advised accordingly: The user clicks Yes, which starts the session and displays a countdown timer: The duration of an admin session is set to 15 minutes per TTI security standards, and the countdown timer ticks down to zero, at which time the session ends. The user can optionally end the session at any time once it has started by clicking Finish. During an Admin Session, users can install programs requiring admin rights, install drivers and change system settings other than user administration. All activity during the elevated session is audited and logged and may be reviewed by IT Administrators. The activity includes elevation request reasons, anything installed, uninstalled, or executed. No Internet/Offline Computers Admin By Request functions seamlessly whether a computer is online or offline. Key settings like portal configurations, domain groups, and organizational units (OUs) are stored locally on the device. Any data generated while offline is queued and automatically synchronized once the computer reconnects to the internet. This ensures a consistent user experience both on your local network and when working remotely without internet access. PIN Code When approval is required for a request and the computer is offline, the pending request remains invisible until the device reconnects to the internet and processes the queue. While this situation is uncommon, it can occur if a computer stays offline for an extended period. Example: Red Cross Scenario: Workers in remote areas may be offline for weeks. Their computers will queue data until they reconnect. If a request needs approval, users must either wait for internet access or use an alternative connection method, such as a phone hotspot. Emergency PIN Code Request: Step 1: The user requests a PIN code and receives a 6-digit "PIN 1." Step 2: The user contacts the Help Desk (979-317-2345) Monday through Friday 8am-5pm (CST) to obtain a corresponding 6-digit "PIN 2." Security: PIN 2 is uniquely generated using PIN 1, the customer ID, and the computer name, ensuring security even if PIN 1 is duplicated on another device. This streamlined process allows users to proceed with urgent requests securely, even when internet connectivity is unavailable. …