Computer Management PROCEDURES (preliminary draft - including unedited user comments)
These procedures comply with the requirements of the Computer Management Policy.
Requirements for Computers Connected to the USU Network:
- Every computer must have all used network card IDs (MAC addresses) registered in USU’s Domain Name Server/DHCP database.
- Every USU computer must either use USU IT's DHCP servers or it must configure its network interfaces in a manner consistent with the registration data in USU's IT DHCP servers.
- Contact information for the system administrator and end user must be kept current in the database. [How can this be checked by someone outside IT? - wait for the new registration system!]
- Every computer must have its operating system and software applications fully patched and updated within 24 (?) hours after the availability of the patches and updates. If a patch requires a reboot, the computer should not be used until rebooted. A computer that has been disconnected for an extended period of time should be patched and updated immediately on reconnect. [What about systems in continuous use that cannot be taken down whenever a vendor happens to release a patch but must be updated during a scheduled outage at a low demand time?] [This needs to differentiate between critical and non-critical patches as well as those boxes used for testing, or not connected to the network - that's why it says "connected to the network" up at the top!]
- Every Windows computer must run virus blocking software. USU has a site license for virus protection software on many operating systems.
- Every Windows computer must run spyware/adware detection software [Why? There are fairly easy steps to eliminate spyware -- don't run as admin, use firefox or protected mode IE. May also want to note that McAfee includes optional anti-spyware]
- Every computer must have unprivileged user access, for routine use, separate from privileged administrator access.
- Every computer must have a firewall configured to block network access that is not required for the expected uses of the computer. All externally accessible system services not required by the user should be disabled.
- Computers that are not used to provide network service to others should be powered off when the user leaves at the end of a work shift.
- Computers that are used to store or access personal identifying information must be managed to a more secure standard. For example, they should not be used for peer-to-peer filesharing purposes. P2P often exposes some or all of the disk structure to unlimited outside access. They should not be used for personal/recreational web surfing, which exposes the computer to more web-based intrusions and "social engineering" enticements. They should have stronger passwords.
- Computers that are shared by multiple users in turn should be re-imaged between users so that the indiscretions of of one user do not affect the next.
- Computers that are used for specific research or teaching purposes that preclude complying with other procedural requirements above should have alternate protections applied to achieve equivalent results of security and authenticity. These alternate procedures should be developed in conjunction with IT security staff so that any apparent vulnerabilities are known to be addressed.
Do we need to distinguish between computers that provide widely accessed server/daemon functionality and computers that are just clients for individual users? [Yes.]
Computers (and other devices) Providing Network Services:
Computers Used Only as a Client by an End-user at the Keyboard:
All-in-One Devices:
Copy/Scan/Fax/Print devices contain fully functional processors with operating systems, memory and hard disks. They are vulnerable to attacks by hackers who can gain control of the resource and any information recently copied, scanned, faxes or printed on the device. They need to be kept patched with vendor updates, need secure passwords and need to be registered with non-routed IP addresses unless access from outside of usu.edu is required.
Consequences of Inadequate Computer Management:
The Network Security Team monitors network traffic for patterns that indicate activity by compromised computers and scans connected computers for vulnerabilities due to lapsed patching and updating, in compliance with the Network Monitoring & Vulnerability Scanning Policy. Vulnerable computers may be scheduled for disconnect after contacting the registered user. Compromised computers may be disconnected immediately to protect the resource, with after-the-fact notification to the registered user.
GUIDELINES
Recommended “Internet Skeptic” Practices to Guard Against Vulnerabilities:
[Rob is right, these aren't Computer Management issues, but Appropriate Use issues.
I guess I just can't resist throwing them at users every chance I get.
Is that so bad?]
- NEVER open any files or macros attached to an email from an unknown, suspicious or untrustworthy source. Delete these attachments immediately, then "double delete" them by emptying your Trash.
- Delete spam, chain, and other junk email without forwarding, in compliances with USU's Appropriate Use Procedures and Standards.
- Never download files from unknown or suspicious sources, including unfamiliar web sites or unexpected email messages
- Avoid direct disk sharing with read/write access unless there is an absolute business requirement to do so.
- Back-up critical data and system configurations on a regular basis and store the data in a safe place.
- New viruses, worms, Trojans and other vulnerabilities and compromises are discovered daily.
Be suspicious of anything novel.
How to Modify this Document
Proposed changes can come from a variety of sources including: central IT staff, campus-wide computer support staff (Network-Managers members), IT Users Advisory Committee members. A member of any of these groups may bring forward a proposal from any member of the university community. After proposals are discussed by those groups the modification will be approved or rejected by the IT Team Coordinators.
