Computer Security Policy

• Distinctions between server and desktop class systems
• Baseline recommendations (OS and server/desktop class independent)
• Baseline requirements (OS and server/desktop class independent)
• Mac specific recommendations
• Mac desktop specific requirements
• UNIX desktop specific recommendations
• UNIX desktop specific requirements
• Windows desktop specific recommendations
• Windows desktop specific requirements
• Server recommendations (platform independent)
• UNIX server requirements
• UNIX server recommendations
• Windows server requirements
• General recommendations

This document outlines recommended security policies for computers that connect to the Carl R. Ice College of Engineering's network. This document does not apply to computers that do not connect to our network, but at least portions of it do apply to systems that connect to our network remotely. For instance, home users dialing in from an ISP to connect to our network would have to have current antivirus with updated definitions and have OS security patches applied. This document also pertains to personal machines that are brought onto campus and connect to our network.

Distinctions between server and desktop class systems (Top)

• A desktop class system will be defined as a system that provides no network services beyond those defined by the guidelines below for the OS running on that system. Exceptions are left to the discretion of the security contact (FTE with IT responsibilities -- defined under "Baseline Requirements").
• Systems running services beyond those specified for desktop class systems for a particular OS will be classified as servers, unless exempted by the security contact and a SIRT member.
• Desktop class systems will be required to register the following information with the SIRT (probably via web form): OS, MAC address, IP address/DHCP, owner/contact, location, department. The security contact will be an FTE designated by the department or unit head and approved by the College SIRT.
• Server class systems must be approved by their security contact and the SIRT before being connected to the network. This specifically means that a security contact must be defined for every server and that security contact must be comfortable with the security on the system. Server class systems must register the following information with the SIRT IN ADDITION TO the information required for desktop class systems: open ports, list of network services (including name, vendor, and version), and security contact.

Baseline recommendations (OS and server/desktop class

independent) (Top)

• CMOS/PROM passwords required for modifications.
• Boot to hard drive first and not to floppies at all (except as a temporary workaround).
• Check for virus definitions daily.
• Use a managed version of the antivirus package.

Baseline requirements (OS and server/desktop class independent) (Top)

• Current antivirus installed, updated definitions at least once per month.
• Passwords that affect network services cycled during same time frame as CNS.
• No off-campus support contracts as only line of support.
• Full time IT personnel define acceptable platforms -- others may be allowed behind special hardware isolation firewall.
• Check and apply security patches at least once per month.
• All computers must have an FTE with IT responsibilities that is ultimately responsible for its security (security contact).
• IT person responsible for a computer must be able to gain administrative privileges for audits and security investigations.
• College SIRT members must be able to gain administrative privileges for audits and security investigations.
• Any detected security incidents should be reported to a member of the college's SIRT.
• All unused network services disabled.
• Security contact can dictate that specific utilities be installed.

Mac specific recommendations (Top)

• None

Mac desktop specific requirements (Top)

• None
• Network services allowed only at security contact's discretion.

UNIX desktop specific recommendations (Top)

• Use vendor supplied automatic checking and updating for security patches.
• Use host-based firewalls to limit access as much as possible and practical.

UNIX desktop specific requirements (Top)

• X windows allowed, but must be restricted to listening/responding only to localhost via host-based firewall rules.
• SSH Daemon allowed, but should be restricted by host-based firewalls and TCP Wrappers as much as possible and practical.
• Other services allowed only at IT contact's discretion.

Windows desktop specific recommendations (Top)

• Try to use software from your IT personnel's recommended software list.

Windows desktop specific requirements (Top)

• Use windows update to automatically check for and apply security updates.
• Writeable shares allowed only from secure versions of windows (NT based).
• Writeable shares must be password protected.
• No peer-to-peer file sharing.
• Consult with your IT personnel (part time or otherwise) before installing any software.
• Do not install any software that listens on a port or provides any network service without security contact's approval -- this includes network games.
• No remote control software (listening) without security contact's approval.
• Personal machines both at work and remote locations need to have security updates and current antivirus (with current updates) installed in order to connect to our network even via dialup.
• Storage of sensitive information should be done offline on removable media when possible. The removable media used for this should also be stored in a secure location.
• All other network services allowed only at SIRT and security contact's discretion.

Server requirements (platform independent) (Top)

• OS must still be supported by vendor (security updates still being released).
• Cycle admin password at least once a year and on turnover of employees who know password.
• User admin accounts removed on turnover.
• Check for security updates at least once a month -- admin discretion to apply.
• Use strong passwords for admin accounts.
• Change admin passwords ASAP after sending them over any clear text channel.

Server recommendations (platform independent) (Top)

• Check for and apply security patches weekly or as needed.
• Use passwords on all writeable databases.
• Use some sort of file system integrity checker to periodically check for intrusion.
• Phase-out all services that authenticate using clear text.
• Clear new services with security contact and register them with SIRT.

UNIX server requirements (Top)

• NFS served only to specific hosts and should be restricted as much as possible -- host based firewalls should be used to limit to specific MAC addresses when possible.
• Must be a platform supported by IT security contact (currently Redhat, Debian, Mandrake, or Solaris).

UNIX server recommendations (Top)

• Enable inetd only when absolutely necessary.
• Use a combination of TCP Wrappers and a host based firewall.

Windows server requirements (Top)

• Use a secure version of the OS (NT based).

General recommendations (Top)

• College wide student training.
• User passwords changes with CNS.
• Aside from desktop hubs and switches (think four to eight ports used for connecting printers, laptops, etc for one user), all network devices should be managed.
• Phase out Windows 3.x, 9x, ME, and NT 4.
• Publicly physically accessible computers should require authentication before use.
• Users should log off or lock their screens when away from their computer.