Securing Computers: Guidelines

September 24, 2003

September 24, 2003

Memorandum to: Technical and Security Mailing Lists

From: Charles Hedrick, Chief Technical Officer

Most of you should have seen the letter from Dr. Philip Furmanski and Karen Kavanagh on security by now. This email is intended to give more technical background.

Unfortunately events are putting us into a position where we can no longer regard security as simply recommended. We understand, and are sympathetic with staffing difficulties and with concerns about user convenience. But the time has come when we can no longer accept excuses. One of the reasons for involving the Executive VPs was to help convince departments to allocate the necessary manpower. The OIT campus divisions would be pleased to talk with departments about ways to implement the requirements outlined in the memo.

Thus the Executive VPs, at OIT recommendation, are now mandating that all areas must take certain basic precautions. We're most explicit about Windows, but the security process described will also cover other types of system. For Windows, we believe it is now mandatory to use some form of automated updating both for antivirus software and for the operating system, at a minimum. With the number of problems being discovered, and the speed at which they propagate, maintaining systems by hand is no longer going to produce good enough results.

One approach, which is mentioned in the letter, is to use RADS (a OIT service based on Mcafee antivirus software and ePolicy Orchestrator) and Windows Update running in an automated mode. (This requires some attention to usage patterns -- some common settings of Windows Update require users to keep their systems on all the time.) However we're trying to avoid requiring specific approaches. If you want to use Norton for antivirus, that is acceptable, as long as you are certain that all of your machines have automated delivery that is equivalent in results to RADS. If you have other ways of updating the OS (and if possible other software such as Office), that is also acceptable as long as updates are installed shortly after being issued. Whatever process you use, it must assure that updates are not ignored by users who find security too much trouble.

There is actually a third issue, which is system configuration. We have seen a surprisingly large number of systems with obvious errors such as a C: drive shared writeably to the world with no password. It's harder to write a simple description of how to fix these problems, but they also require attention. One of the reasons for recommending use of a software firewall is to provide additional protection against configuration problems. As you go around to your systems to take care of the mandatory issues, I would ask you to check on file sharing, look for unexpected software or options, and if possible to enable Zonealarm, the XP firewall, or some other protection.

It is nearly impossible to determine from the outside whether these processes are being followed. Security scans have been a useful tool, but scanning isn't enough to make sure that systems are being secured properly. For this reason we're asking all departments to report to Information Protection and Security what actions they are taking. IPS is on the hook to report to the administration on progress throughout the University.

When we've discussed this in the past, some people have noted that there are certain systems that are impractical to update. One common situation is special-purpose systems (e.g. PC's used as controllers for a phone system), where you must use software supplied by a vendor. Unless your vendor passes on Microsoft's patches almost immediately, we believe you are going to have to put systems like this behind a firewall. In many cases I would recommend one of the low-end boxes designed for home networking. Another approach might be a software firewall set to permit no incoming connections except the specific service provided by the system, with the configuration carefully reviewed to make sure that users won't undermine it. In the case of Zonealarm this might mean turning off the mode where it asks permission to enable ports as software tries to use them.

Of course a software firewall alone isn't good enough, because you still have to worry about malware getting in via email, floppies, etc. But in situations where patching is absolutely impossible, an ironclad firewall configuration, email from a server that does virus filtering, plus RADS might be good enough. Indeed this is just about all I can think of to do with Windows 95 and 98, where patches are no longer being issued.

One comment that was present in some drafts but didn't make it into the final document concerns Windows 95 and 98. Microsoft says that they are no longer going to issue free updates for these OSs. Some of us suspect that if a bad enough problem turns up in 98 they might feel that they have to, but that's unlikely for 95, and even for 98 probably won't last long. Imagine what is going to happen if something like MSBlaster occurs for Windows 9x. If no patch is issued, we could easily find ourselves insisting that a large number of systems be removed from the network.

For this reason, all departments need to have plans to move their systems to XP. In principle WIndows 2000 is also OK, but I don't see any reason for moving to 2000 at this stage, except for servers. I would probably be willing to keep old systems around in low-priority uses. But if you do so, I believe that in order to be in compliance with policy you must at the very least use a bullet-proof software firewall setup (no incoming connections) together with good antivirus precautions and updates at least for MS Office.

You are also going to need to look at your usage policies. I would strongly recommend that departments not permit unnecessary server-type software. I believe this means reviewing with your users (particularly student users) the dangers of downloading software from the Internet, particularly P2P and other software that tends to make the system into a server, and open back doors of various sorts. In order to live in today's environment, departmental managers and technical staff together will need to take steps that will make sure you know what is being done with your systems. I don't want to discourage user creativity, but it is no longer acceptable to find that half of your Windows desktops have been turned into Internet servers behind your back.

FYI, there is a corresponding process being done in the dorms. The form is somewhat different because of the different circumstances there.