Minimum Computer Security Standards

University of Washington

February 11, 2005

Prepared by:
University Technology Advisory Subcommittee on Computer Security Standards
Terry Gray, Associate Vice President, IT Infrastructure, C&C, Chair
Ira Kalet, A-TAC representative
Malcolm Parks, Associate Vice Provost for Research
David Wetherall, Faculty Senate representative
Privacy Assurance and Systems Security Council

Prepared for:
The University Technology Advisory Committee

---

Table of Contents

Section 1 – Background
   1.1 Context
   1.2 Purpose
   1.3 Applicability
   1.4 Audience
Section 2 – Minimum Computer Security Standards by Device Type
   2.1 Servers, Desktop, and Laptop Computers
   2.2 PDAs and Smart-Phones
   2.3 Office Machines
   2.4 Specialize Computing Equipment
   2.5 Firewalls
Section 3 – Exemptions
Section 4 – Enforcement
Section 5 – Consequences
Appendix A – Glossary
Appendix B – Operating System-Specific Security Options
Appendix C – References

---

Section 1 – Background

1.1 Context

The University of Washington has nearly 80,000 computing devices on its network. Any one of them, if compromised, becomes a threat to neighboring systems and infrastructure; indeed, a compromised computer is a potential threat to any other device on the Internet to which it can communicate. Thus, it is no longer acceptable to attach anything to the UW network unless it is properly managed and protected from intrusion and misuse.

In recognition of the risks of operating insecure computers on the campus network and the resulting impact to the university, the University Technology Advisory Committee (U-TAC) in October, 2004 formed a subcommittee to propose a set of minimum standards that all computers on the campus network must meet. This document represents the result of that effort.

The intent: Computing devices within the purview of this standard that do not meet the minimum standards defined in this document must not be connected to the UW network, either directly or via dialin, wireless LAN, or Virtual Private Network (VPN).

This is one of several policy and procedure documents related to protecting UW information, computing devices, and communication resources, all of which are maintained by the UW Privacy Assurance and Systems Security (PASS) Council. Other documents include:

• Currently Available
• UW Information Systems Security Policy

• In Development
• Minimum Information Security Standards
  • Related pages
  • UW Electronic Information Privacy Policy on Personally Identifiable Information
• Computer and Information Security Best Practices
• Computer and Information Security Checklists
• Policy on Research Use of Network Traffic

• Other Related Sites
• Computing Security

1.2 Purpose

This standard defines procedures for implementing certain elements of the UW Information Systems Security Policy. The focus of this particular standard is on protecting computing devices from misuse and is intended to achieve the following goals:

• Prevent subject devices from being accessed or used by unauthorized entities.
• Prevent subject devices from causing harm to other UW computers or computers at other organizations.
• Prevent subject devices from causing harm to the UW network or other networks.

Procedures for protecting the information contained on UW computing devices from misuse (a.k.a. information security) are outside the scope of this standard, except that information security builds upon the foundation of computer security.

While this document focuses on procedures for securing networked computing devices, a companion Minimum Information Security Standard focuses on procedures for protecting various classes of information, such as classified, proprietary, student educational records, protected health information (PHI), and personally identifiable information.

1.3 Applicability

This Minimum Computer Security Standard applies to any computing device that meets any one or more of the following criteria:

1. The UW owns it.
2. It directly connects to the UW network (e.g., a student-owned computer in a residence hall).
3. It accesses the UW network via the UW dial-in service (modem pool).
4. It accesses the UW network via a wireless access point attached to the UW network.
5. It accesses the UW network via a Virtual Private Network (VPN) connection, such that the device is effectively part of the UW network and capable of sending arbitrary packets to any UW computer.

This Minimum Computer Security Standard does not apply to non-UW computers connecting from non-UW locations via secure application protocols.

Note that some computing devices, in addition to meeting the standards described herein, must also meet the requirements for protecting information, as outlined in the companion "Minimum Information Security Standards" document (in development). Those information security standards apply to any computing device that is deemed critical to the operation of the UW, or any device that contains 'sensitive' information (e.g., confidential, proprietary, personally identifiable, or protected patient information), or any device (including non-UW devices) accessing sensitive information on UW servers.

1.4 Audience

Every computing device falling within the scope of this standard will have, explicitly or implicitly, an individual or group responsible for the configuration and management of that device. Those individuals comprise the primary audience for this standard.

In case the subject device lacks a professional system administrator, the owner or end-user is responsible for implementing this standard by whatever means possible. Accordingly, computer users need to understand their computer security obligations and are the second audience for this standard.

Section 2 – Minimum Computer Security Standards by Device Type

Devices that do not comply with the following rules are not allowed to be connected to the UW network unless they are isolated by a suitable firewall that implements the applicable rules below.

2.1 Servers, Desktop, and Laptop Computers

Computers can be used in many different roles, with somewhat differing security requirements. The rules below constitute a baseline of necessary practices. Recommended measures beyond these minimum standards will be found "Computer and Information Security Best Practices" (in development).

• Restrict access to authorized users. This includes a requirement for adequate physical security as well as login controls.
• Provide login control to the device through the use of good passwords transmitted only across a secure (encrypted) network link and optionally biometric, or token access system such as SmartCard. Good passwords are necessary to protect the integrity of the computing device and are especially critical for privileged access, such as administrator or root accounts. Transmitting passwords only across secure links is necessary to protect the password itself.
• Disable and/or block all unnecessary network services. For servers, only allow incoming or outgoing traffic essential for the purpose of the server. For desktop or laptop computers: block unsolicited incoming connections by means of host firewall or equivalent network access restrictions.
• Use only operating system and application software versions for which security updates are readily available. If secure versions of essential software are not available, restrict access to vulnerable services to only trusted computers via a host-based firewall or network access restrictions or secure network protocols.
• Enable software auto-patching if the vendor provides this service, unless subject computer is under the control of a system administrator who is providing an alternative software update mechanism as part of a configuration management service. Software for which there is no vendor-supported auto-update service must be managed in a way that ensures timely application of security patches, verified in accordance with accepted system administration practices.
• Do not install any software that grants unauthorized users access to non-public data stored on, or accessed through, subject devices. Such prohibited software is often surreptitiously installed as part of other packages a user may seek to use. Examples include software that reconfigures a computer so that all Web traffic (including passwords and personally identifiable information) is sent to their servers before reaching its intended destination (e.g. Marketscore).
• Counteract malicious and other prohibited software that may infect computers (e.g., viruses, worms, spyware, eavesdropping tools) by installing auto-updating defensive software (e.g., anti-virus and anti-spyware tools) if suitable versions are available. See Appendix B for examples. If these tools are not available for a particular computer, watch for indications of compromise, such as excessive slowness or excessive network traffic.
• Enable logging. In the case of servers, ensure that the logs are periodically reviewed by system administrators; for client machines, ensure that logs are available for audit or diagnostic purposes. Examples of information that should be logged include authentication failures, modifications to security settings, or antiviral software executables.
• When installing (or re-installing) a computer operating system or other software packages that require multiple steps, and using the network to obtain software updates, ensure that the system is safe during the update process. Using an inexpensive hardware firewall during the install process is one way to achieve this.

2.2 PDAs and Smart-phones

• As personal digital assistants (PDAs) and smart-phones become more computer-like, they must be regarded as potential risks to adjacent systems and networks or to protected information. Viruses and worms targeting pocket devices are just beginning to appear, and auto-update of the operating system is still rare, so owners must watch for security bulletins and update instructions from the product vendor.

2.3 Office Machines

• A growing number of office machines, such as printers, copiers, and fax machines, are now network-connectable. These devices may have software faults that make the machine vulnerable to unauthorized use or that can cause damage to other systems or the network.
• Office machines often are not amenable to standard computing security practices (although some devices do have regular MS Windows or Linux computers inside), so it may not be possible to enable integral firewalls, anti-virus software, or automatic updates.
• It may be difficult to know when an office machine has been compromised. However, when a security problem is discovered or suspected, the machine must either be removed from the UW network until the product is updated/repaired or isolated from the rest of the UW network by placing the device behind a logical or physical firewall.

2.4 Specialized Computing Equipment

• A PI or unit head is responsible for making sure that specialized computing devices within his or her purview do not constitute a risk to other computers or the network (or to protected UW information.) Even if the standard security measures described in this document cannot be implemented without rendering a device unusable, specialized devices and the information associated with them must be protected from attack or exploit. External security appliances may be needed to achieve this goal, such as individual or logical firewalls and VPN tunneling devices.

2.5 Firewalls

• Firewalls, like other computing devices, can have security vulnerabilities. Anyone responsible for a firewall must ensure that security updates are applied and that log files are regularly reviewed.

Section 3 – Exemptions

This standard provides for alternative methods of compliance: (1) well-configured computing devices, or (2) a dedicated firewall. Thus, situations requiring exemptions should be rare. However, in accordance with the UW Information Systems Security Policy, the PASS Council is empowered to grant exemptions. For details, see UW Information Systems Security Policy Development, Revision, and Exemption Processes

Systems that are deployed specifically for intrusion detection or security research are good candidates for such exemptions.

In the case of UW Medicine, exemption requests must follow UWM IT Services procedures before submission to the PASS Council.

Section 4 – Enforcement

Enforcement of this Minimum Computer Security Standard is the responsibility of the Campus Information Security Officer (CISO) and the PASS Council, with support from Risk Management, Internal Audit, and Computing & Communications.

Not all of the provisions in this standard can be enforced by technical means; however, this does not absolve UW computer administrators or users/operators from responsibility for the behavior of their systems, and it is expected that automated enforcement techniques will be continually improved.

Section 5 – Consequences

Connected devices found to be out of compliance with this standard will be disconnected. Individuals or departments responsible for such devices may be subject to a reconnection fee. The PASS Council has responsibility for determining under what circumstances a fee might be assessed.

Note that the requirements of this Minimum Computer Security Standard are met either by making the device itself safe by implementing the specific provisions of section 2, or by isolating the device from the rest of the network via a suitable firewall that implements the relevant provisions of section 2.

Disconnection may happen automatically as a consequence of automated defense or vulnerability detection systems, or as a result of manual intervention.

Multiple incidents and/or willful disregard may be referred to the PASS Council for additional action.

Appendix A – Glossary

Server. A server is a computer that intentionally provides information/data to other computers, using protocols such as: file transfer (FTP), file access (SMB, CIFS, NFS), World Wide Web (HTTP), email (POP, IMAP), peer-to-peer, etc.

Critical. A critical server or service is one whose absence or malfunction would seriously undermine carrying out UW's mission.

Sensitive. Sensitive information is that to which access must be carefully limited, in order to meet legal, policy, and ethical requirements.

There are several types of sensitive information, and they may need different levels of protection:

1. Patient data (protected by HIPPA)
2. Student educational records (protected by FERPA)
3. ITAR restricted information (e.g., cryptographic algorithms)
4. Personally identifiable data (e.g., SSN)
5. HR (confidential personnel records)

Sensitive information can exist on any computer, not just servers.

Note that in some UW documents, the term sensitive is used to encompass both the concepts of sensitive and critical as defined here.

Appendix B – Operating System-Specific Security Options

Note: There is no intent in this standard to require or recommend use of any particular operating system. The goal is only that whatever system is chosen should not be a threat to UW resources.

This list is not meant to be exhaustive, and the Computer and Information Security Best Practices document should be consulted for more specific information on protecting devices and sensitive information.

Microsoft Windows. For desktop systems, Windows XP Service Pack 2 seeks to achieve many of the goals of this standard. In particular, the built-in host firewall is improved and is enabled by default. The default settings attempt to implement the goal of blocking unsolicited incoming connections.

XP Service Pack 2 does not provide defense against malicious software that has already gotten onto a machine, except to nag you if it does not detect any anti-virus program running. It is therefore necessary to separately install anti-virus and anti-spyware tools, such as:

• Anti-virus: McAfee VirusScan (currently site licensed by UW)
• Anti-spyware: Spybot Search and Destroy (freeware)

For Windows-based servers, the built-in IPSEC tools provide a mechanism to limit incoming connections to appropriate clients and/or appropriate services.

Apple Macintosh. OS X contains a built-in firewall that, when enabled, attempts to implement the goal of blocking unsolicited incoming connections. As with MS Windows, additional anti-virus tools are needed. Additional anti-spyware tools may also be recommended at a future date, but currently are not available.

• Anti-virus: McAfee Virex (currently site licensed by UW)
• Anti-spyware: currently none available, to be reviewed

Linux. Many Linux distributions (e.g., RedHat) come with a built-in firewall enabled. Although spyware and viruses are not at this time as large a threat to Linux systems as to Windows systems, adding security tools to protect against those threats will be increasingly important as Linux grows in popularity.

In all cases, keeping the operating system patched to prevent exploitation of known vulnerabilities is the essential goal.

Appendix C – References

• Washington State IT security documents
• US-CERT Cyber Security Tips
• US-CERT Intruder Detection Checklist
• US-CERT Security Library
• A list of reviews for anti-spyware products from Home PC Firewall Guide
• NSA report on worms: The Case for Using Layered Defenses to Stop Worms (PDF)
• The ISO Security Standard

The PASS Council
Modified: January 5, 2007