Security Requirements for All UCOP Networked Devices

January 26, 2005

The following requirements must be met for all devices connected to the UCOP data network, such as desktop or laptop computers, file servers, mail servers, and printers. See Minimum Standards for Connecting to the UCOP Network, for specific details and recommended software for Windows-based and Apple Macintosh operating systems. Please contact the Technology Service Desk at ServiceDesk@ucop.edu if you have questions or additional requirements.

UCOP networked devices are "electronic information resources" as defined in Business and Finance Bulletin IS-3, "Electronic Information Security."

1. Passwords

All UCOP networked devices must employ adequate access control measures to ensure that only authorized individuals may gain access to their resources. Electronic communications systems or services must authenticate users by means of passwords or other secure authentication processes in accordance with the UCOP password policy. In addition, shared-access systems must enforce these standards whenever possible and appropriate.

UCOP networked devices should also require that users change any preassigned passwords immediately upon initial access to the account. Default passwords for access to network-accessible devices are discouraged, but if used, must be changed immediately.

Passwords used by system administrators for their personal access to a service or device must not be the same as those used for privileged access to any service or device.

2. Access to Unattended Computers

Unauthorized use of an unattended device can result in harmful or fraudulent modification of data, unauthorized access to confidential information, fraudulent e-mail use, or any number of other potentially dangerous situations. In light of this, where possible and appropriate, devices must be configured to "lock" and require a user to re-authenticate if left unattended for an extended period of time.

3. Encrypted Authentication

Traffic across the UCOP network may be surreptitiously monitored, rendering authentication mechanisms vulnerable to compromise. Therefore, all UCOP devices must use only encrypted authentication mechanisms unless otherwise authorized by IR&C.

In particular, only secure, encryption-capable versions of services, such as Telnet, FTP, SMTP, POP, and IMAP may be used on the UCOP network. All UCOP servers supporting those services must require authentication using encrypted transmissions.

4. Software Patch Updates

UCOP networked devices must be subject to professional system and change-management practices. In particular, networked devices should run versions of operating system and application software for which security patches are made available and installed in a timely fashion. Exceptions may be made for patches that compromise the usability of critical applications, but any such exceptions must be registered with IR&C so that they are known to UCOP IT security and support staff. Implementation of additional measures may be required when exceptions are granted.

5. Anti-Virus or Anti-Spyware Software

When readily available for specific operating systems as defined in the minimum standards, anti-virus software must be running, up-to-date, and have current virus definition files installed on every level of device, including clients, file servers, mail servers, printers, and other types of networked devices. Anti-spyware software must also be installed when readily available.

6. Unnecessary Services

If a service is not necessary for the intended purpose or operation of the device, that service should not be running on that computer; such services should be turned off. For instance, if a Windows server is used exclusively as an SQL server host, all ports and services, other than those required by the SQL server, must be deactivated.

7. Host-based Firewall Software

When readily available for specific operating systems as defined in the minimum standards, host-based firewall software must be running and configured to limit network communications to only those protocols required to be made accessible over the network.

8. Authenticated E-mail Relays

UCOP devices must not provide an active SMTP service that allows unauthorized individuals to send or relay email messages, i.e., to process an e-mail message where neither the sender nor the recipient is a local user. Before transmitting e-mail to a non-local address, the sender must authenticate to the SMTP service. Authenticating the machine, e.g., IP address/domain name, rather than the sender is not sufficient to meet this standard. Unless an unauthenticated relay service has been reviewed and approved by IR&C as to configuration and appropriate use, it may not operate on the UCOP network.

9. Authenticated Proxy Services

All network proxy servers on UCOP networks must require authentication from users before granting access. Note that some operating system or application software program default settings automatically enable proxy servers. These must be identified by the system administrator and reconfigured to prevent unauthenticated proxy services.