Minimum Standards for UCOP Network

Minimum Standards for Connecting Microsoft Windows-based Desktop Computers and Servers

Issued: January 26, 2005

The following requirements bring MS Windows-based computers into conformance with UCOP IT security requirements. The requirements apply to all MS Windows computers intending to connect to the UCOP network, including those owned by UCOP as well as other MS Windows computers used for University business purposes.

Please contact the Technology Service Desk if you are uncertain how to implement these requirements. These requirements may change; updates will be documented in the UCOP Electronic Information Security Policy, section IV, "Revision History."

In addition, Microsoft has extensive security recommendations for its products.

Windows-based Desktop Computers

Devices that fit the following criteria are subject to the minimum standards for connecting desktop and laptop computers to the UCOP network. (See the section below, Windows Servers, for additional requirements for servers.)


  •  single user device, such as a laptop or desktop computer, that does not perform file serving functions
  •  device that operates with software that can be configured or modified from elsewhere on the network
  • device that does not contain any "restricted" data
  • device that does not provide an "essential" service
  1. IR&C may specify which version of the Windows operating system UCOP computers must utilize. Older versions may be vulnerable to attacks which cannot be mitigated. As of Fall 2004, Windows XP Professional with Service Pack 2 is highly recommended.
  2. All security related software updates that are prescribed by IR&C, including but not limited to Windows Critical Updates and Service Packs (all applications with available security updates to known vulnerabilities, such as Microsoft Office), must be applied immediately upon release.
  3. Antivirus software, e.g., Symantec AntiVirus, must be installed and active, and the virus definitions must be kept up-to-date. Antivirus software must either be configured to be managed by the central antivirus server or be configured for immediate virus definition update.
  4. All computers must be configured to require a login upon booting or restart and before exiting "sleep" or screen-saver modes.
  5. The built-in local administrator account name must be renamed (it cannot be "Administrator"), and its password and all other passwords changed to meet or exceed the requirements of UCOP's password policy.
  6. The built-in local administrator account shall not be used as the primary user account. Normal user accounts, e.g., the accounts used to log into the computer for normal operation, shall not be a member of the local host's administrator group.
  7. The Guest account must be disabled.
  8. Generic or anonymous access must be disabled.
  9. All computers must be registered with the Technology Service Desk including their location, the MAC address of the NIC(s), and the names of the primary users. The computer name must follow the standard convention of department ID followed by first initial plus full last name of the primary user up to 8 characters (or a similar format that facilitates the identification of the computer's primary user). If the naming of the computer must deviate from the convention as dictated by the specific business use of the machine, it must be registered with the appropriate IT personnel along with the contact information of the primary user.
  10. Any server-type applications and services running on the computer must be inspected by the appropriate IT personnel for appropriate configuration with respect to security compliance prior to the computer's deployment.
  11. All software must be installed with prior approval of departmental IT personnel. IT personnel reserve the right to remove all unapproved software on UCOP-owned computers.
  12. E-mail, telnet, and/or FTP software shall be configured to use only encrypted transmission for authentication.

Windows Servers

Servers, including any computers performing file serving functions, running the Windows operating system can only be connected to the UCOP network if they meet both the requirements listed above for desktop and laptop computers and the following conditions:

  1. Servers must be registered with ITS using the UCOP server registration form available from the ITS Technology Service Desk. ITS will verify compliance with these requirements.
  2. Any server running critical services or on which sensitive data resides must be in a physically secure location, e.g., in a locked room or facility with restricted authorized access. See B&FB IS-3 for definitions of criticality or sensitivity.
  3. Dell OpenManage (or equivalent) must be installed.
  4. All unnecessary or unused services must be disabled.
  5. Server configuration must be fully documented.
  6. Servers must be configured with NTFS.
  7. All NTFS file permissions must be changed to ensure that only authorized access is allowed for all files. In particular, the Everyone group must be carefully managed to prevent unauthorized access to restricted data.
  8. Any change to a registered server affecting compliance with these requirements must be reported to IR&C prior to implementation.

Minimum Standards for Connecting Apple Macintosh Desktop and Laptop Computers

January 26, 2005

The following requirements bring Apple Macintosh computers into conformance with UCOP IT security requirements. If you are uncertain how to implement these requirements, please contact your departmental PC coordinator. These requirements may change; updates will be documented on the Web site, IT Policies at UCOP.

Devices that fit the following criteria are subject to the minimum standards for connecting desktop and laptop computers to the UCOP network.

- Single user device, such as a laptop or desktop computer, that does not perform file serving functions

- Device that operates with software that can be configured or modified from elsewhere on the network

- Device that does not contain any "restricted" data

- Device that does not provide an "essential" service

  1. All Macintosh computers must be running MacOS version 10.3 or later. All security related software updates that are released by Apple or third party application software vendors must be applied within the time guidelines set by IR&C. It is highly recommended that Apple automatic software update be turned on and set for daily checking.
  2. Norton Antivirus for Mac (produced by Symantec) software must be installed and active and the virus definitions must be kept up-to-date. Antivirus software must be configured for automatic virus definition update.
  3. The Apple built-in firewall (see Sharing under System Preferences) shall be turned on, configured to allow only the minimum required services. File Sharing, if required, must be restricted to the UCOP local network. Client FTP, if needed, must use "passive FTP mode," configured under Network Preferences.
  4. All computers must be configured to require a login upon booting or restart, and before exiting from "sleep" or screen saver modes.
  5. All local account passwords must meet or exceed the requirements of UCOP's password policy.
  6. All computers must be registered with the Technology Service Desk including their location, the MAC address of the NIC(s), and the name(s) of the primary user(s). The computer name must follow the standard convention of first initial plus full last name of the primary user (or a similar format that facilitates the identification of the computer's primary user). If the naming of the computer must deviate from the convention as dictated by the specific business use of the machine, it must be registered with the appropriate IT personnel along with the contact information of the primary user.
  7. Any server-type applications and services running on the computer must be inspected by the appropriate IT personnel for appropriate configuration with respect to security compliance prior to the computer's deployment. Any server-type applications not required by the intended use of the computer shall be disabled or removed.
  8. All software should be installed with the approval of departmental IT personnel. IT personnel reserve the right to remove all unapproved software on UCOP-owned computers.
  9. E-mail, telnet, and/or FTP software shall be configured to use only encrypted transmission for authentication.
  10. ITS may define a list of software that is not allowed on computers attached to the UCOP network. Any such software must be removed from the computer before it is allowed to connect to the UCOP local network.