IT POLICIES & PROCEDURES
Introduction
The Auburn University College of Veterinary Medicine Network is comprised of UNIX database servers, UNIX academic servers, a UNIX database application server, two Windows 2003 Active Directory servers, one Windows 2003 print server, one Windows 2003 instructional server, and one Windows 2003 utility server for rebuilding lab and classroom machines and patching the CVM network. These machines are connected to the Auburn University network.
In addition, the college has many personal computers, most of which are also connected to the network. Most of these PC's are configured so that users may save files on the servers as if the files were stored on the PC (e.g., the H and G drives on Cvm3).
Some of these PC's are connected to laboratory and scientific instruments. Many of the PC's and servers contain valuable and sensitive data. For that reason, one of the main duties of the Computer Group is to protect the security of the machines and data, while providing the maximum convenience and freedom of use consistent with adequate security.
This document is the official policy that was recommended by the Computer Information Systems Advisory Committee and was approved in 2000 with technical updates in 2004. This statement is in accordance with a similar statement of policies of the Division of University Computing at http://www.auburn.edu/oit/policies/network_policy.php
[top]
Reasons for a Security Policy
Security is a constant battle between the extremes of paranoia and chaos. Our task is to find a reasonable balance.
We have all heard of reports of attempts to break into various computer systems. We at the CVM do observe frequent attacks on our network. Some attempts may be designed to steal data, some may be designed to corrupt data, and others may be designed to deny usage of computer systems to legitimate users (e.g., by flooding their inbox with so much mail that important mail is lost, or the disk storage is filled). Some are so-called "innocent" attempts just for the fun of it, but those can be equally harmful.
Some people may not have any sensitive or important information on their PC, and may wonder why they should worry about security. Here is the problem: If any one of the machines on the network is insecure, then all the machines on the network can be compromised. Following these policies will help assure (although not absolutely guarantee) our ability to provide continuous and reliable service to the college.
[top]
Physical Security
Any computer which is connected to the network is a potential site for an attack. This is especially true if someone leaves a computer without logging out. But it is even possible for malicious people to plug a device called a sniffer into a network jack and begin looking for passwords transmitted over the network.
Certain operating systems also provide similar opportunities for mischief or accidental harm.
[top]
Unauthorized Use
POLICY: Breaking into another person's account is a serious violation which will result in terminating the account and may result in other disciplinary action. These violations include cracking passwords, modifying other users' files without permission, or reading other user's files without permission--even if those files are readable or writeable. The prohibition against reading files does not apply to files provided for public access in publicly accessible directories (e.g., anonymous FTP, WWW, etc.)
The only other exception is for Computer Group staff who may have to access a user's files in order to solve a user's problem, scan for viruses or malicious programs, or correct other network problems. Other than that exception, the same policy applies to Computer Group staff. They will not read users' files and will keep confidential any information which they may happen upon in performing their official duties.
Users should understand that the CVM computer system is for official and legal use. While the administration and staff do not routinely monitor individual activity, they will cooperate with law enforcement officials or other officials. As a general rule of thumb, if you don't want to read about it in the newspaper, don't put it on a computer network.
[top]
Account Sharing
POLICY: Account sharing (two or more users using the same account) is a violation of CVM policy. If an account is being shared by two or more persons, the account is subject to being deactivated. This does not preclude users sharing files.
WHY: All accounts are assigned to an individual. That person is responsible for the account. If you permit others to use your account, then you could be held responsible for violations by another person.
EXCEPTION: Supervisors may assign a designated employee to access their E-Mail and other such files.
NOTE: The Computer Group can show you how to control access to your files, and can set up groups to make file sharing more convenient.
[top]
Network Services on Workstations and Personal Computers
POLICY: On the CVM network, Network services (FTP servers, WEB servers, etc.), Windows NT based servers (Windows NT/2000/2003), Novell servers, or Linux may be operated only on machines administered by the Computer Group.
WHY: The act of running network services can result in a compromise of not only the machine the services are running on, but the CVM Network as a whole.
Any time a host is sharing resources, it makes it easier to gain control of that machine remotely. In the cases of TCP services (web servers, FTP servers, shell servers) this could allow any of the millions of computers connected to the Internet to attempt to take control of the host. New vulnerabilities are found every day. These vulnerabilities will allow malicious persons anywhere on the Internet to take control of your machine, usually without your knowledge or consent.
With a machine under their control, they can do anything you can do, including reading or changing your files and mail. They could also use your machine to launch attacks on other hosts, such as Vetsun, Mallard, or even Garfield. Any illegal activities they perform on your machine would appear to have been done by you. By not running these services, it makes it much more difficult for someone to take control of your computer or other computers on our network.
IMPLICATIONS: This policy, the same as the policy in the College of Engineering, means that individuals will not be permitted to set up a WEB server on a Windows NT based server or Linux machine running on a PC.
ALTERNATIVES: The Computer Group has set up a way for you to create WEB pages which are accessible only by UserID and Passwords which you can create yourself. For instance, a lab which wants to post lab results for clients can already do that easily and securely. You can also make WEB pages which are accessible only from certain subnets (e.g., the CVM campus). We would be happy to demonstrate how to do this.
EXCEPTION: If for some reason the Computer Group cannot provide the service you need, then it is possible for you to create a separate network which is protected from the rest of the network by a firewall. The computer group will do anything feasible to provide the service you need, so that you will not have to resort to this option. If setting up your own server is your only option, then the Computer Group will offer advice. This type of setup may require substantial costs for implementation. However, your main interface would be with Telecom.
[top]
Operating Systems
POLICY: Windows NT based workstations including Windows NT/2000/XP must be coordinated through the Computer group, and the Computer group must have the administrative account on the machine and physical access to the machine. "Physical access" means that the Computer Group Manager and Network Administrator will be listed for access with Campus Security. Linux machines, Windows NT based servers, and Novell servers are not permitted unless administered by the Computer Group. Those who operate Windows NT based work stations may not set them up as servers.
WHY: Certain operating systems (e.g., Windows NT/2000/XP) have built in services which could pose a threat to the network. If such a problem develops, it may become necessary to disconnect the machine from the network, which requires physical access.
[top]
File Sharing Between Personal Computers
It is possible for certain operating systems (e.g., Windows98/2000/XP) to be configured so that files may be shared between two computers. This is not prohibited. However, any file shares must be setup to require a password. It is possible to miss-configure such a setup so that the computers cause network problems. In those instances it may be necessary for the Computer Group to disconnect the machine from the network until the problem is corrected.
RECOMMENDATION: If you want to set up such sharing between PC's, submit a help request on the cg website http://www.vetmed.auburn.edu/help, and someone will help you set it up so as not to interfere with other users or accidentally make your machine more vulnerable to attack.
[top]
Connecting Computers to the Network
POLICY: Connection of computers, terminals, or printers to the network must be done by the Computer Group and setup in accordance with current technical network standards. All Windows NT based machines hooked to the network will be joined to the CVM domain.
WHY: Each computer on the network is assigned a unique permanent address called an IP address and a unique name, which are associated in a CVM database with unique identifier in the network card. If you accidentally configure your computer with the wrong IP address, then you could deny usage to the legitimate user of that address. Incorrect IP addresses or computer names can be very difficult to track down.
[top]
Local Area Networks
POLICY: Any Local Area Networks cannot be attached to the Auburn University network.
EXPLANATION: Telecom has moved the entire University campus to a switched network environment. The environment is not compatible with separate individual LANS. If you need to have a separate network setup you must consult with the Computer Group and Telecom to see if a solution can be provided, however, this may come at a great expense.
[top]
Control of File Access
POLICY: Users are responsible for control of file access in their home directories (drive H) or group directories which they administer.
EXPLANATION: Directories and files have access which can be controlled for the owner, the group, or the world. The default settings are for the owner to have read and write access to directories and for the group and the world to have read access (except to the mail subdirectory). You may change this using the Change Mode (chmod) command from the UNIX prompt. You can also configure your PC so that any file you save to a network drive will have whatever permissions you choose. Contact help@vetmed.auburn.edu for help in using the chmod command or help modifying the permissions of files you save. For an explanation of permissions, type "man chmod" at the cvm4% prompt.
[top]
Use of E-Mail Inbox
POLICY: Users should regularly delete or move the contents of their Inbox.
WHY: Messages in your Inbox are not stored in the same location as other files on your home drive (drive H). Large Inboxes clutter the server and bog down the system.
SUGGESTION: Make folders for various subjects or people and periodically either delete files in the inbox or save them to the folder.
[top]
POP/IMAP Mail
POLICY: Post Office Protocol (POP Mail) and IMAP are supported only from machines physically connected to the CVM network.
WHY: The Division of University Computing has recently established this policy to prevent spammers from relaying junk mail.
IMPLICATIONS: Certain Internet Service Providers use a different IP address for the customer each time. This means that programs such as Eudora, Outlook, etc., can not be used from those services. You can access you email offsite through a web page based email client. The address is https://www.vetmed.auburn.edu/webmail.
[top]
Public Labs
In June, 1998 the CVM implemented a policy which requires users in the Student Computer Lab to validate through a server on which they have an account. This is the same policy O.I.T. uses in public labs. Users must validate before they can even use the computer as a local PC. Each user must enter a valid UserID, Password, and Domain.
IMPLICATIONS: Users in public labs should be careful to log off the computers when they finish. Users in private offices should follow similar precautions.
[top]
Remote Access of Personal Computers
POLICY: Anyone on the CVM Network who establishes a computer which can be controlled by remote access must inform the Computer Group so that they may assess that the system provides adequate security. The userID and password should not be the same as your regular UserID and password unless you are using built in secured windows authentication.
WHY: Several remote access programs (PCAnyWhere, Remote Desktop, CarbonCopy, LapLink, Close-Up, etc.) permit you to remotely connect to your office PC and control it as if you were sitting at the PC. If you leave your office PC logged into the network, then anyone who connects remotely to your office PC is automatically logged into the network. This would expose the entire network to an attack by an unauthorized user. Unfortunately, the default setup of some of these programs (e.g., PCAnyWhere) requires no UserID or PassWord, which means that anyone who tried to connect to your system would have direct access. While the Computer Group will test the security of such programs, these programs are not officially supported. Those who use them are responsible for their installation, operation, and security.
[top]
Use of Network Resources
POLICY: Space used on the CVM file servers will not be used to install programs or save backups of PC hard drives. OIT provides a Tivoli (ADSM) backup service to those who request it. This space is primarily available for data storage directly associated with the mission of the College of Veterinary Medicine.
WHY: There is simply not enough space for users to be using Cvm3 for backups. Personal computer hard drives are much cheaper than Sun storage array disks. Saving large amounts of data uses resources that are shared by everyone. If you fill up your home drive, you also fill up every user's home drive in the college.
[top]
.rhosts files
POLICY: No usage of .rhost files will be permitted. Usage of .rhost files is grounds for account deactivation.
WHY: .rhost files allow unauthenticated persons to have user access to a host machine. This has the same effect as account sharing.
[top]
Email Clients
POLICY: The Computer group supports e-mail on the CVM server. We also can provide limited support for GroupWise on the central OIT server.
[top]
Deactivation Of Accounts
POLICY: Under rare circumstances it may be necessary for a Computer Group employee to deactivate a user's account without prior notification. For instance, if a user fails to login successfully after a certain number of attempts, that may indicate someone is trying to break in to the account. In such instances the user would receive a notice to contact the Network Administrator. The Network Administrator would then help the user fix the problem and would reactivate the account.
[top]
Policies Pertaining to Computer Group Employees
POLICY: Certain Computer Employees have the technical ability to access files that other users cannot access. This access is necessary for them to perform their duties. However, this does not imply that these employees may access other users' files except in the performance of their official duties. They may scan the network for viruses, scan for miss-configurations, scan for the existence of malicious or prohibited files or programs, or perform other similar duties. They may not arbitrarily examine users' files for other reasons. They will keep confidential any user's files which they happen upon in the performance of their official duties.
Whenever the contents of user's data files (not including configuration files or executable files) is manually viewed (read) by a member of the Computer Group without knowledge of the user, timely notice will be given to the user describing the file, when it was viewed, and whether any problems were found in the file. Such notice will not be given when files are electronically scanned by system monitoring tools in the normal course of maintaining and monitoring the system.
The Computer Group will periodically remind users of current policies, including policies on monitoring.
Although the Computer Group will exert its best effort to safeguard data stored on the network, employees are not liable for damages resulting from security or loss of data. The ultimate responsibility for safeguarding data rests with the user, through proper security and archival procedures.
[top]
Sensitive Information
POLICY: Users must observe caution in the use of the network for storing sensitive information, and are responsible for observing any legal limits or policies of organizations with whom they interact.
WHY: It is always possible that, despite all our efforts, some data could be accidentally disclosed, or some malicious person could gain access to information. For those reasons, users are advised not to store especially sensitive information on the network (on group directories or home directories, e.g., G or H drives).
NOTE: These same security issues are present for any personal computer that is connected to the network.
[top]
Technical Standards
POLICY: The Computer Group will establish certain technical standards as needed. As examples, they may specify certain network client setups, computer naming conventions, etc., in order to reduce network traffic and provide the best network performance.
[top]
World Wide WEB
POLICY: While the College tries to keep departmental WEB pages accurate, the pages are not peer-reviewed and are not guaranteed to be accurate or complete. In the spirit of academic freedom, personal WEB pages (usually containing a ~Tilde in the URL) are controlled by the individual authors, who are solely responsible for their content.
[top]
Passwords.
A password policy will be enforced for all network accounts. This policy follows The Sans Institute recommendations for strong passwords. The policy requires that all passwords are between 6 and 8 characters and that they contain at least 1 number, 1-3 capital letters, 1 lower case letter, and they cannot be based on a dictionary word.
SUGGESTIONS: Change your password occasionally. At a minimum this should be done once a year.
[top]
Monitoring your Account
Each time you login through Secure CRT, the system will tell you when you last logged in and what computer you used. Check this each time you login. If you see the name of an unknown computer, then someone probably has broken into your account. Inform the System Administrator and change your password immediately.
[top]
Printing.
You may have access to one of several departmental printers located on the network. Send a message to help@vetmed.auburn.edu for assistance in using them.
The printers in the student lab are not intended as replacements for departmental copying machines. Please do NOT ask students to go to the lab and print out your handouts or presentations.
[top]
Access to Network and Computers
A. Student Lab: The student lab in Overton Auditorium is primarily for use by CVM students for official instructional use. It is also available for other student usage, such as E-Mail and accessing the Internet. This is not a public lab, and is not available to non CVM students. Students who are doing assigned work have priority. If you are using a computer for non-assigned work, please yield to a student who needs to use the machine for an assignment.
B. ISP Access: You may connect to the network in a graphical mode from any Internet Service Provider (ISP). Your ISP should provide you with instructions and software. You may also SSH directly to the A.U. network from any computer on the Internet or from any ISP using Secure CRT or other character-based programs.
C. Personally-owned Computers: Personal computers, such as laptops, can be configured to connect to the Auburn University network. However, these computers must be setup on the network by the Computer Group. Personal machines must meet the same requirement for network access that all other machines must meet.
Due to limited resources the Computer Group cannot be held responsible for any problems that may occur as a result of the machine being setup on the network. Also, the Computer Group cannot work on personal machines for reasons other than network related setup and troubleshooting. If you decide to bring in your own personal equipment you do so at your own risk.
[top]
Questions or Comments
Any technical questions, suggestions, or bug reports regarding this site should go to Bill Lacy (lacywil@vetmed.auburn.edu) or Ashley Burt (burtash@auburn.edu). Questions on policy issues may be sent to Dr. Charles Branch (branch@auburn.edu)
[top]
