This document outlines recommended security policies for computers that connect
to the College of Engineering's network. This document does not apply to
computers that do not connect to our network, but at least portions of it
do apply to systems that connect to our network remotely. For instance, home
users dialing in from an ISP to connect to our network would have to have
current Antivirus with updated definitions and have OS security patches
applied. This document also pertains to personal machines that are brought
onto campus and connect to our network.
- A desktop class system will be defined as a system that provides no network
services beyond those defined by the guidelines below for the OS running on
that system. Exceptions left to the discretion of the security contact (FTE
with IT responsibilities -- defined under "Baseline Requirements").
- Systems running services beyond those specified for desktop class systems
for a particular OS will be classified as servers unless exempted by the
security contact and a SIRT member.
- Desktop class systems will be required to register the following
information with the SIRT (probably via web form): OS, MAC address,
IP address/DHCP, owner/contact, location, department? The security contact
will be an FTE designated by the department or unit head and approved by the
College SIRT.
- Server class systems must be approved by their security contact and the
SIRT before being connected to the network. This specifically means that a
security contact must be defined for every server and that security contact
must be comfortable with the security on the system. Server class systems
must register the following information with the SIRT IN ADDITION TO the
information required for desktop class systems: open ports, list of network
services (including name, vendor, and version), and security contact.
- CMOS/PROM passwords required for modifications
- Boot to hard drive 1st and not to floppies at all (except as a temporary
workaround)
- Check for virus definitions daily
- Use a managed version of the antivirus package
- Current Antivirus Installed, updated definitions at least once/month
- Passwords that affect network services cycled during same time frame as CNS
- No off-campus support contracts as only line of support
- Full time IT personnel define acceptable platforms -- others may be allowed
behind special hardware isolation firewall
- Check and apply security patches at least once per month
- All computers must have an FTE with IT responsibilities that is ultimately
responsible for its security (security contact)
- IT person responsible for a computer must be able to gain administrative
privileges for audits and security investigations
- College SIRT members must be able to gain administrative privileges for
audits and security investigation
- Any detected security incidents should be reported to a member of the
college's SIRT
- All unused network services disabled
- Security contact can dictate that specific utilities be installed
- None
- Network services allowed only at security contact's discretion
- Use vendor supplied automatic checking and updating for security patches
- Use host-based firewalls to limit access as much as possible/practical
- X windows allowed, but must be restricted to listening/responding only to
localhost via host-based firewall rules
- SSH Daemon allowed, but should be restricted by host-based firewalls and
TCP Wrappers as much as possible/practical
- Other services allowed only at IT contact's discretion
- Try to use software from your IT personnel's recommended software list
- Use windows update to automatically check for and apply security updates
- Writeable shares allowed only from secure versions of windows (NT based)
- Writeable shares must be password protected
- No peer-to-peer file sharing (we need to work on the wording here)
- Consult with your IT personnel (part time or otherwise) before installing
any software
- Do not install any software that listens on a port or provides any network
service w/o security contact's approval -- this includes network games
- No remote control software (listening) w/o security contact's approval
- Personal machines both at work and remote locations need to have security
updates and current antivirus (with current updates) installed in order to
connect to our network even via dialup.
- Storage of sensitive information should be done offline on removable media
when possible. The removable media used for this should also be stored in a
secure location.
- All other network services allowed only at SIRT and security contact's
discretion
- OS must still be supported by vendor (security updates still being
released)
- Cycle admin password at least 1/yr and on turnover of employees who know
password
- User admin accounts removed on turnover
- Check for security updates at least 1/mo -- admin discretion to apply
- Use strong passwords for admin accounts
- Change admin passwords ASAP after sending them over any clear text channel
- Check for and apply security patches weekly or as needed
- Use passwords on all writeable databases
- Use some sort of file system integrity checker to periodically check for
intrusion
- Phase-out all services that authenticate using clear text
- Clear new services with security contact and register them with SIRT
- NFS served only to specific hosts and should be restricted as much as
possible -- host based firewalls should be used to limit to specific MAC
addresses when possible
- Must be a platform supported by IT security contact (currently Redhat,
Debian, Mandrake, or Solaris)
- Enable inetd only when absolutely necessary
- Use a combination of TCP Wrappers and a host based firewall
- Use a secure version of the OS (NT based)
- College wide student training
- User passwords changes w/ CNS
- Aside from desktop hubs and switches (think 4 to 8 ports used for
connecting printers, laptops, etc for one user), all network devices should be
managed.
- Phase out Windows 3.x, 9x, ME, and NT 4
- Publicly physically accessible computers should require
authentication before use
- Users should log off or lock their screens when away from their computer
Top
