Tech Guides :: Securing Confidential Information
Secure Connection to the Network
All users of the campus network have an obligation to secure their access to the network to the extent practical.
Perimeter Protection
The best way to protect campus assets is to prevent attacks from reaching the campus in the first place. Accordingly:
1. Campus backbone routers that connect to the external world (i.e., the “edge routers”) are configured to block the “SANS Top 20" ports. This may result in some users being blocked from installing some new applications. Requests to unblock a port should be directed to the Campus Information Security Officer (ISO). The ISO will initiate a technical and security review for the request prior to Information Technology Services (ITS) unblocking the port.
2. Routers connecting to the central server farm are configured to block all incoming network traffic to any port for which ITS is not aware of a legitimate reasons for allowing access. User offices which operate servers holding personally identifiable or confidential information should consider contracting with ITS to move their servers inside this “secure net.”
3. Only wireless access points selected, installed, managed, and maintained by Telecommunications & Network Services (TNS) are permitted to be connected to the network. Rouge access points will be disabled at the network port.
4. ITS blacklists an extensive number of off-campus sites that generate viruses, spam, phishing messages, etc. This can result in some valid messages being blocked from delivery to the campus (called “false positives”). Users who believe valid messages are being blocked by the campus filters should review the filtering instructions on the ITS website at: http://www.humboldt.edu/~its/techguides/email/filters.shtml, contact their area information technology consultant, or contact the Help Desk.
Occasionally, an off-campus site will sensd a large number of emails to the HSU campus for valid reasons, such as for distributing an approved survey. It is possible that the campus filters will block delivery of such messages. If you are working with an outside group that will be sending a large number of emails to the campus, contact University Computing Services (UCS) to ensure they are not rejected by the filters.
5. ITS actively filters (blocks) email attachments that represent a known and significant threat of viral infection. The list of file-extension types that are blocked is available on the ITS website, as are work-arounds for receiving attachments of types that are blocked. Users who need to work around the campus filters should review the filtering instructions on the ITS website at http://www.humboldt.edu/~its/techguides/email/filters.shtml, contact their area information technology consultant, or contact the Help Desk.
6. The use of remote control desktop software (e.g., Windows Remote Desktop Protocol – RDP) must be properly secured. On Windows machines, RDP must be disabled for user accounts and should be enabled for administrator accounts only if a conscious decision is made to use it (RDP defaults to “enabled” for administrator accounts). Any account running RDP must be protected with passwords that meet ITS requirements for access to the central computing servers and access to the Common Management System: see the Security Memo “Password Protection.” Any machine that is configured to allow RDC connections should have as restrictive client-side firewall as possible (e.g., a computer that is configured to allow RDC connections connections should have client-side firewall settings that only allow connections from a specific host, set of hosts, or VLAN).
Additional suggestions for improving the security of using RDP can be found at: http://www.windowsecurity.com/articles/Windows_Terminal_Services.html. Users running remote control desktop software other than RDP must ensure that it provides security at least equivalent to that available for RDP.
7. A good security program includes vulnerability management, which is an ongoing process to ensure that information assets are adequately protected. Vulnerability assessment activities should only be performed by authorized personnel. Scanning activities should be planned and authorized in advance in order to avoid negative impacts to the scanned network or system. Scanning systems/networks without prior agreement from the controlling authority is unethical. By California State University (CSU) policy, CSU campuses should not be performing vulnerability assessments or scanning (including penetration testing, port scanning, etc.) on systems or networks outside of their immediate purview. At HSU, this also applies to campus units other than TNS scanning the assets of the other campus units or assets of the campus as a whole without authorization. Any such scanning will be treated as a hostile attack. TNS may only scan the assets of the other campus units as necessary and appropriate for it to meet its responsibilities for supporting the campus network.
System Protection
All devices connected to the network must meet some minimum standards.
1. Client-side firewalls must be activated before connecting a computer to the network. Client-side firewalls should be configured as restrictively as possible.
2. All microcomputers and servers must be kept at current patch and anti-virus levels. Any system found to be not in compliance will be disabled at the network port until its software is made current. Users need to be cognizant of the need to keep applications at current patch levels as well as operating systems.
3. All microcomputers also should run spyware search-and-destroy software. This software is a useful tool for investigating hacking incidents.
4. Administrator-level accounts should not be used on microcomputers for day-to-day activities. It is a better practice for computer users to use workstation accounts that have user-level access. This may prevent inadvertent compromises of the entire system.
5. When practical, servers should be set up in a hardened (secure) systems configuration which includes:
• Installing only the minimum essential operating system configuration. Only those packages containing files and directories that are needed to operate the computer should be installed.
• After installation is complete, removing all privileges and access authorizations. Then grant (add back in) privileges and access only as needed, following the principle of “deny first, then allow.” It is essential that all installations be performed first because any installation performed after privileges are removed can undo such removal and result in, for example, changed mode bits or added accounts.
• Ensuring there are no permanent/semi-permanent “test” or “guest” accounts.
• Enabling as much system logging as possible to have access to the detailed information needed for in-depth analysis of any intrusion.
• Granting access only through the campus authentication/authorization Identity and Access Management (I-AM) system. Contact University Computing Services for assistance with set-up.
It is recognized that the “start hardened and relax to functional” approach may be impractical with Windows servers for some server roles. System administrators should check with University Computing Services for the latest “best practices” to take to secure servers based on server role.
6. No workstation, other than lab computers, should be left unattended and powered up when connected to a server. This is critical if the user is signed onto the server with administrative privileges.
7. Computers which are not in use should be turned off overnight. Besides conserving electricity, this limits the times when hackers can attack the machine as well as limiting the time during which they may rummage in the machine without being noticed after they are successful in a hacking attack.
It may not be possible for all users to comply with this restriction. For example, if it is necessary to run nightly back-ups, the computers must be left on. However, for those offices where back-ups are be run weekly instead, a user's machine only needs to be left on overnight on the night it is being backed up. This should be a week-night, not a weekend-night, in order to minimize exposure. All offices running back-ups should determine if the back-ups can be run during business hours. It also may not be practical to turn off lab computers at night, although they should be set up with sleep mode to conserve electricity, if lab updates are being performed.
8. Unused software should be removed from system. Users have a tendency not to patch software which they have not used in a long time and might no longer be on any notification or update list if a vulnerability is discovered in the software.
9. Systems Administrators, when setting up user microcomputers, also should be sensitive to the following:
• Unprotected Windows networking shares can be exploited by intruders in an automated way to place tools on large numbers of Windows-based computers attached to the Internet. Protect Windows networking shares by reviewing both share and file system permissions and setting appropriately complex passwords.
• Because many chat clients allow for the exchange of executable code, they present risks similar to those of email clients. As with email clients, care should be taken to limit the chat client's ability to execute downloaded files. Users also should be cautioned against exchanging files with unknown parties.
Good sources of education for users are:
http://www.cert.org/tech_tips/home_networks.html#III-B-10
and
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
Contacting the Campus Information Security Officer
The Campus Information Security Officer can be reached at (707) 826-3815 or security@humboldt.edu.
Endorsed by the Information Technology Council, April 11, 2006
