Taggi2 is in beta. Content is being migrated from the legacy Taggi site and may be incomplete or incorrect.
UNSW Sydney
Policies

Self Administered Computers

The School of Computer Science and Engineering (the School) provides a large number of wide ranging computing facilities for the use of staff and students of…

Work in progress

This page was automatically migrated from the legacy Taggi site ( https://taggi.cse.unsw.edu.au/Policies/Self_Administered_Computers/) and is pending review. Content, links and screenshots may be incomplete or incorrect.

Introduction

  1. The range and variety of software and hardware systems provided and administered by the CSG needs to be restricted to the smallest subset of such systems that can meet the needs of the largest number of the users (or groups of users) within the School. In practice, this means that the CSG is charged with defining and providing the fewest number of systems that can cater to our three primary groups of users: students, academics, and administative staff.
  2. In order to make the administration of these systems as simple and as practical as possible, these software and hardware systems need to be kept under the full control of the CSG where possible. This generally means restricting system root or administrative access to members of the CSG and to noone else.1;

Who This Policy Applies To

Who Maintains This Policy

Concepts and Definitions

School computers:

Computers (and associated hardware such as printers, monitors and keyboards) which are purchased using the School's Operating Funds.

Non-school computers:

Computers (and associated hardware) purchased using research grants or work/study-related funds other than the School's Operating Funds. These computers still remain a `school asset'.

Private computers:

Computers purchased from other funds, often paid for by individual academics or students.

Virtual computers:

Computers created by such tools as VMware. They have no physical existence but otherwise behave in the same way as real computer hardware. It is possible for a self-administered computer to run a CSG-administered Virtual computer, or for a CSG-administered computer to run a self-administered Virtual computer.

  1. the installation of one or more separately bootable operating systems on the one computer.
  2. the configuration of the operating systems to allow (at a minimum): connection to the School's Ethernet or wireless networks; use of the School's WWW and FTP proxies; use of the School's printers; sending and receiving email through the School's email system; and the access of the user's home directories on a CSG-administered computer.
  3. the maintenance of a standard single-boot CSG-installed operating system.2

Software support includes installation and configuration of application software where this requires administrative access.

CSG administration of a computer

The CSG very strongly recommends users of other computers similarly lock down their computers.

Self-administration of a computer

Gaining and relinquishing self-administration

Operating systems and software available for self-administered computers

CSG Support of self-administered computers

Responsibilities of self-administrators

  1. Complying with School and University rules and policies regarding use of computers.
  2. Installing and configuring the operating system and application software. This covers all aspects of the system: for instance, creating printer configuration files and ensuring root mail is sent to the user rather than to root@cse.unsw.edu.au.
  3. Maintaining and upgrading software. The CSG strongly recommends users join the appropriate mailing lists so they will be apprised of news and alerts concerning their software. Many software distributions have (semi-)automated update mechanisms; these are particularly useful for getting security updates for software.
  4. Ensuring data and work stored on the self-administered computers and/or external storage media is backed up. The CSG will continue to back up the user's home directories on CSG-administered servers.
  5. Securing the computer and monitoring and maintaining the security of the computer. This is covered in more detail in the Appendix under the section on Securing computers within CSE

Appendix

Securing computers and devices within CSE

Rationale

Security of CSE computers is required for a number of reasons:

Legislative Compliance:

There are various laws and regulations relating to the use, storage, interception, and transmission of various types of data and/or information within the University and Australia. The school is required to ensure that its computers and network infrastructure are secured in such a way that they are not used, either directly or indirectly, to contravene any of these laws and regulations or for any criminal purpose.

Effective use of shared resources:

The School's computing infrastructure, the campus-wide network, and the Internet beyond, is a collection of shared resources. The effective use of these resources depends on a high degree of co-operative responsibility taken by all users of these resources. Anything that impinges upon the fair use of, or access to, these resources by others is a Bad Thing and much of the security infrastructre is about preventing the misuse of, or denial of access to, these shared resources, whether such actions are intentional or not.

To maintain the Good Name of the School and University:

The School of Computer Science and Engineering and the University of New South Wales are held in high regard nationally and internationally. Our continued success as a leading educational and research institute depends on, inter alia, maintaining that high regard. Any activity that reflects poorly on our good name is of itself a Bad Thing.

Maintaining Security

Fundamental security measures

Restricting Physical Access:

Preventing the devices from being stolen or being opened; having their BIOS or hardware tampered with or removed; or allowing the computer or device to be booted from a floppy or other removeable (and uncontrolled) device.

Proper Software Selection and Configuration:

Selecting software and configuration options with security being a primary concern; Installing software from known and trusted sources; Choosing and configuring secure system passwords and permissions for all installed software systems.

Enabling only essential services:

This reduces the number of systems or services that can be attacked. Most computers only need to accept SSH connections for satisfactory use. Listening for other connections (NFS, ftp, WWW, etc) increases the number of vulnerabilities that might be exposed and exploited. As a general principle, turn off all services; then only turn on those services that are found to be essential.

Keeping software current:

Staying up to date with, and installing:

  • New versions of software which often patch or fix security vulnerabilities (as well as add new features);
  • The latest virus signatures and security updates.

New viruses often reach CSE within a day or so of being reported overseas, while vulnerabilities in other systems and services are exploited within days of their discovery. It is therefore essential to check for and install such updates from reliable sources on a regular basis (at least weekly).

Eternal Vigilence:

Monitoring system security is essential. This will vary from system to system, but will include making sure that monitoring tools are running and checking reports and logs from those tools and from other system services.

Basic steps to securing a computer

All Platforms:

  • Install a good firewall and configure it to block all privileged ports except for essential services. If you don't know what something is doing, it probably isn't essential
  • Most Windows and Mac users don't run servers on their computers and therefore don't need to keep ports open; *nix users usually run SSHd
  • You do not need to keep privileged ports open at your end in order to access websites, instant messaging or other aspects of the internet.

Windows:

  • Ensure Windows Update is set to automatically install Critical Updates
  • Ensure your antivirus definitions are current and being automatically updated, for instance enable Symantec LiveUpdate.

Debian:

macOS:

You should also subscribe to the security updates mailing list for your operating system: all major and most minor vendors will have a link for this on their website (usually under Support).

Breaches of Security

  • Denial of Service attacks;

  • Port scanning;

  • Packet sniffing;

  • The creation or intentional dissemination of viruses, worms, trojans, or other malware 3;

  • The storage, transmission or distribution of restricted or copyrighted material (eg: porn, video, or music);

  • Disconnect the host from the network

  • Disable network access permissions as required or necessary

  • Email the recorded owner of the host, and the user (if known), about the incident.

Three Strikes Policy

  1. The computer or device responsible is (usually) isolated from the network
  2. An email is sent by ss to the owner(s) and administrator(s) of the computer or device explaining the situation;
  3. A strike is applied against the owner(s) and administrator(s) of the computer or device.

Note that the strike is counted against the owner(s) and administrator(s) of the computer or device, and not against the specific computer or device exhibiting the behaviour.

Strike 1:

The computer or device will not be re-connected to the CSE network until the administrator has indicated that they have sensibly dealt with the issue.

Strike 2:

The computer will not be re-connected until the administrator has assured the CSG that they have removed the exploit or infection and taken steps to prevent a similar compromise. Typically this assurance will take the form of a detailed email sent to System Support stating exactly what steps were taken, and why. For instance, the self-administrator will have to have done some (if not all) of the following:

  • Used an appropriate tool (such as Norton on Windows computers);
  • Found, identified, and removed one or more pieces of malware3;
  • Found and fixed bugs or errors in their scripts, programs, or configuration;
  • Loaded appropriate security patches for the operating system;
  • Updated virus signatures and security patches;
  • Put systems in place that monitor the system, and update patches as they are released.

Strike 3:

The CSG will not diagnose, clean or reinstall your computer for you. At most they will point you towards websites that may help and lend CD/DVDs of ISOs for installation of some popular operating systems. Symantec's website has removal tools for some of the most common worms and trojans but keep in mind that removal tools are not guaranteed to leave your computer completely clean. Reinstallation is the only way to be sure your computer is 100% under your control again.

Footnotes

...1

Although it might be possible for the CSG to confer to a select subset of non-CSG users, temporary administrative rights over some systems, this will usually be at the discretion of the CSG, and under their full control.

...2

The CSG may assist in the installation of multi-boot systems but will not subsequently support them.

... malware3

Malware is the common term for ``malicious software'', software intended to damage a computer system or disrupt use of a computer system (including corrupting or stealing information).

July 2010 - Zain Rahmat

Monitors

This policy applies to desks in CSE office space — most of K17 Building, and also J17-510. It is limited to desks that will be used by CSE staff and research…

On this page

IntroductionWho This Policy Applies ToWho Maintains This PolicyConcepts and DefinitionsCSG administration of a computerSelf-administration of a computerGaining and relinquishing self-administrationOperating systems and software available for self-administered computersCSG Support of self-administered computersResponsibilities of self-administratorsAppendixSecuring computers and devices within CSERationaleMaintaining SecurityFundamental security measuresBasic steps to securing a computerBreaches of SecurityThree Strikes PolicyFootnotes