Common Computing Standards For All Systems And Devices

• User account passwords must be changed at least once every 60 days
  • Strong password must be used containing six or more characters that are comprised of letters, numbers, and symbols.
• Enable screen lock-out, or automatic account time-out, on your systems and devices that activates after 10 to 15 minutes of ideal time
• Set BIOS password to protect alteration of boot up procedures
• All computing devices with firewall capabilities must have firewall enabled and only specific protocols allowed depending on applications running on them.  MS Domain Control may be an exception. Database servers must be fire-walled and only specific access granted to them.
  • Major operating system vendors provide firewall software at no cost
    • Windows firewall
    • MAC firewall
    • *nix IP filters
• All data on computing devices must be erased before the device is transferred or surplused. Here are some recommended software to erase drives:
  • Active@ Kill Disk - http://killdisk.com/
  • Darik's Boot and Nuke ("DBAN") - http://dban.sourceforge.net/
  • Eraser - http://sourceforge.net/projects/eraser
  • Wipe - http://sourceforge.net/projects/wipe/
• Disable unnecessary protocols, such IPX, NetBIOS, etc. Enable only TCP/IP
• Disable all unused wireless communication technologies (i.e., WiFi, Bluetooth, infrared, etc.) from devices
• Configure computing devices to automatically receive and install operating system and application updates from vendors or local sources
• Run the latest compatible OS version
• Install the latest compatible service packs, and security and application patches
• Do not login as an administrator on a regular basis.
  • Administrator account should be used only for administering the system.
• Make frequent backups of your data and securely store it with encryption technologies. Encryption is required for restricted data.
  • Periodically test backups for integrity
• Transmit restricted data (refer to the Data Classification Policy) by using only secure methods. Such as SSL, SSH, etc. No email, ftp, http or telnet

Common Guidelines For All Systems and Devices

• All computing devices capable of running anti-virus software must have an anti-virus software installed and kept up-to-date. Recommendations for anti-virus software are
  • Symantec
  • McAfee
  • Kaspersky Lab
    • Centrally managed Antivirus software is strongly recommended
• All computing devices capable of running anti-spyware software must have an anti-spyware software installed and kept up-to-date. Recommendations for anti-spyware software are
  • MS Windows Defender
  • Ad-Aware
  • Symantec or McAfee versions that also provides anti-spyware protection
• If there is a strong business reason for having restricted data on a PC or mobile device, restricted data must be protected by disk encryption technologies. Storage of restricted data on a mobile computing device must be approved in writing by the employee’s dean, director, or vice president and based on a legitimate business need. Recommendations for encryption technologies are
  • PGP Desktop (Windows & Mac)
  • TrueCrypt (Windows & Linux)
  • Ultimaco Safeguard (Windows)
  • BitLocker (Windows)
  • FileVault (Mac)
    • Care must be taken to protect access keys and passwords in order to recover data and information
• Asset recovery software is strongly recommended for mobile devices that can run such technologies, e.g., laptops, especially for end-user devices containing restricted data. In the event of a theft, use of such technology enables authorities to locate and retrieve the asset. Recommendations for asset recovery technologies are
  • Computrace Complete from Absolute Software
    • http://www.absolute.com
  • CyberAngel
    • http://www.thecyberangel.com/
  • LoJack from Absolute Software (Recommended solution for student computers - not for UCF property)
    • http://www.lojackforlaptops.com/

Standards for Mobile Devices

• Common Computing Standards and Guidelines +
• Storage of restricted data on a mobile computing device must be approved in writing by the employee’s dean, director, or vice president and based on a legitimate business need. Follow the guidelines above for proper protection of restricted data.
• VPN technologies must be used, i.e., UCF Virtual Private Network (VPN), when accessing restricted resources from insecure networks such as wireless and public Internet service providers (ISP.)

Windows Workstation Standards

Unix Server Standards

Linux Server Standards

• Common Computing Standards and Guidelines +
• Servers must be in physically and environmentally controlled locations
• NFS shares are not exported to the world
• Change passwords or disable all default accounts
• Remove etc/hosts.equiv
• No accounts with null passwords
• Edit /etc/inetd.conf (or equivalent) to remove all unneeded services
• System administrator on security mailing list(s) applies fixes and upgrades in a timely manner
• Running the latest version of sendmail. You may consider using Postfix, Qmail, or Exim.
• Use SSH or Kerberos for telnet or rlogin
• .rhosts files removed nightly by a script
• Clock synchronized to a central UCF time server. UCF Time Servers:
  • time.ucf.edu (Primary)
  • ucf1.ucf.edu (Secondary)
  • ucf2.ucf.edu (Tertiary)
  • ucf3.ucf.edu (Quaternary)
• sendmail configured to deny relaying, EXPN, VRFY, and DEBUG
• Mount all user partitions and /tmp and /var with "nosuid" option
• Consider using tcp-wrappers to help control and log access
• Install/run identd to help determine source of problems
• Use tripwire or other IDS package to detect changes to important files. Download Tripwire
• System administrator actively monitors for probes or attacks, and alerts Security Incident Response Team.
• Establish procedures and guidelines for responding to incident. See Security Incident Response Plan

MAC Standards

• Common Computing Standards and Guidelines +
• Servers must be in physically and environmentally controlled locations.
• Securely erase the Mac OSX install partition before install.
• Do not install any unnecessary packages.
• Require an Open firmware or EFI password.
• Create an access warning for the login window, command line, do not use fast user switching with non-trusted users or when multiple users access local accounts.
• Create an administrator account and a standard account for each administrator, and create a standard or a managed account for each non-administrator, set appropriate controls, restrict the distribution and use of administrator accounts, modify the /etc/authorization file to secure directory domain access, disable su, restrict sudo users to only being able to access required commands.
• Change initial password for the system administrator account, disable automatic login, display “Show password hints”, “Enable fast user switching” “Show the Restart, Sleep, and Shut Down buttons”.
• Do not display recent applications, documents, and servers.
• Remove privileges to modify system preferences, dashboard and exposé.
• Disable dash board.
• Set a short inactivity interval for the screen saver and Use password protected screensaver.
• Disable unnecessary services, including Airport support, Bluetooth, microphone, iSight camera, DHCP services, DNS service, Bonjour,  iChat, file sharing, remote login and VPN, automatic login, root login, web service, printing service, QuickTime stream server, Xgrid. If any of above tools are needed, please configure the software securely before production according to the following guidelines.: http://images.apple.com/server/macosx/docs/Tiger_Server_Security_Config_021507.pdf
• Deactivate unnecessary mail protocols if not needed. Enable SSL for incoming and outgoing mail service if mail servers are needed. Enable virus filter. Disable SMTP Banner. Provide different servers for outgoing mail service and incoming mail service when possible.
• Install and enable auditing tools from: www.apple.com/support/security/commoncriteria
• Monitor and review security event logs on a regular basis
• Enable audits of backups and restores
• Clock synchronized to a central UCF time server. UCF Time Servers:
  • time.ucf.edu (Primary)
  • ucf1.ucf.edu (Secondary)
  • ucf2.ucf.edu (Tertiary)
  • ucf3.ucf.edu (Quaternary)
• System administrator must be on security mailing list(s) and applies fixes and upgrades in a timely manner.
• System administrator actively monitors for probes or attacks, and alerts Security Incident Response Team.
• Establish procedures and guidelines for responding to incidents. See Security Incident Response Plan 

References: Data Classification and Protection Policy , Security of Mobile Computing, Data Storage, and Communication Devices , NIST SP800