Networks - Minimum Desktop Requirements

Summary of minimum requirements for desktop connectivity.

* Done in standard load

Detail of minimum requirements for desktop connectivity.

*1. Automatic Software Patch Updates

All machines must be up to date with security patches. Windows campus networked devices must be configured to use the CWU Patch Server to maintain patching. Macintosh patching will be available from a local OS/X server in 2005.

*2. Anti-virus software

Anti-virus software must be installed, running and kept up to date.

3. Host-based firewall

Host-based firewalls must be at a minimum:

• Be running at all times
• Block inbound traffic to ports that are not running necessary services
• Log inbound and outbound blocked packets
• Allow all inbound and outbound ICMP traffic except "mask discovery"

4. Passwords

Access to CWU hosts, networks and computing must require password authentication. Passwords must meet minimum complexity standards. Remove or disable default accounts. Required password authentication after being idle for more than 20 minutes. (Screen saver password.)

All default passwords must be changed.

5. No unencrypted authentication

Historically insecure services such as Telnet, FTP, SNMP, POP, and IMAP must be replaced by their encrypted equivalents.

6. No unauthenticated email relays

Unauthenticated email relays can cause problematic bandwidth usage and inappropriate email appearing to come from campus. Relays may be exploited to allow use of devices for other unauthorized activities, in a manner similar to virus attacks. System administrators should migrate to user-authenticated SMTP services. Campus devices must not provide an active SMTP service that allows unauthorized third parties to relay e-mail messages.

7. Network connectivitiy

Devices which extend the network such as but not limited to hubs, switches, bridges, routers and access points or computers functioning as such may only be connected by the Networks and Operations department within Information Technology Services only. Users (students, faculty and staff) may connect computers and printers to the network.

8. Physical security

Unauthorized physical access to an unattended device can result in potentially dangerous situations. In light of this, where possible and appropriate, devices must be configured to "lock" and require a user to re-authenticate if left unattended for more than 20 minutes. Mission-critical systems must be located in a secure location accessible only to authorized personnel.

9. Unnecessary services

If a service is not necessary for the intended purpose or operation of the device, that service shall not be running. (SNMP, Universal Plug & Play, WWW, FTP)

10. Remote session encryption

Users accessing trusted or privileged connections to resources must use strong encryption, such as a VPN.

12. Deploy computers with standard burn

11. Non-Compliance

Compromised network devices will be disconnected from the network. Action may be taken to restrict or remove network access to devices not found to be in compliance with the minimum requirements.