1. Proposed UW Minimum Computer Security Standards From C&C 28 Jan 2005 Draft

2. Background 80K computers, plus more used from outside Compromised computers threat to neighbors and any other connected computers Computing devices must be managed in order to be allowed access to network and network services

3. Goals Prevent computing devices from: –being accessed or used by unauthorized entities –causing harm to other computers at UW or elsewhere –causing harm to UW network or other networks Nongoal: information security –to be standardized later

4. Applicability Device is: –owned by UW –directly connected to UW network –accessing UW network via: UW dial-in wireless access point attached to UW network VPN connection, if effectively part of UW network Audience: sys admins and computer owners

5. Minimum Standards by Type Devices must not be attached to network: unless protected by a firewall or properly managed Types: –servers, desktops and laptops –PDAs and smartphones –office machines –specialized computing equipment –firewalls Exemptions: intrusion detection, security research

6. Servers, Desktops, Laptops Control access: via good passwords optionally, secure tokens Disable/block all unnecessary network services Servers: allow only traffic essential for services Desktop/laptop: block unsolicited connections Use only operating systems for which security updates are readily available, or put behind firewall

7. Servers, Desktops, Laptops (cont) Enable auto-patching if provided, or provide other configuration management Install security updates for applications, too Don’t install software which grants unauthorized users access to non-public data Counteract malicious software via: antiviral programs spyware removal programs etc. Enable logging, and periodically review logs

8. PDAs and Smartphones As viruses and worms become more commonplace, since no other method available: –keep up with security bulletins –update as needed

9. Office Machines Printers, copiers and fax machines on network may have software faults that allow compromise or can cause damage Auto-patching and use of integral firewalls may not be an option May be difficult to detect when compromised, but when detected: remove from network until repaired or put behind firewall

10. Specialized Computing Equipment PI or unit head is responsible Still must be protected from attack or exploit May require external security applicances (e.g. firewalls and VPN)

11. Security Audits All devices covered by standard are subject to audit at any time; cooperation is “expected” Periodic reviews by UW Internal Audits; includes: interviews and inspection of documents showing adherence to procedures technical means such as vulnerability scans Examine not only min standards, but info security standards and best practices –others besides those responsible must conduct reviews Departments expected to conduct periodic reviews

12. Consequences Noncompliant devices disconnected Responsible parties may be subject to reconnection fee Disconnection could be automatic or from a manual intervention PASS Council may take action if multiple incidents or willful disregard