Department Guidelines on Self-Administered Machines
For the purpose of these guidelines, “self-administered machine” shall refer to any machine (server, desktop workstation, or laptop computer), regardless of operating system or applications, that will be networked or allowed to share data with any departmental or University machine regardless of medium (network or removable storage medium), and that will be set up and/or maintained, in whole or in part, by its owner and/or a third party other than qualified departmental technical support staff. This includes, for example, privately owned laptops owned by students or staff that will be connected to a departmental or University network.
The Department of Computer Science would prefer that owners rely on our technical support staff for the set-up and ongoing maintenance of all machines used within the Department, in support of teaching and research. However, we recognize that there may be cases where more control may be required by the owner or a third party, to deal with exceptional situations in a timely manner, without adversely impacting the teaching or research goals of the machine, and that owners may therefore opt for self-administration.
In order to avoid adversely impacting on the rest of the Department or the University, the following guidelines will be followed, in all cases where they are applicable, by owners of self-administered machines:
- Installation and set-up of the machine will be done after some consultation with departmental technical support staff, to assure that initial or potential problems are addressed. Technical support staff will also be consulted anytime the owners or maintainers of the machine are unsure of what security or maintenance procedures need to be followed.
- All networked machines should have their MAC address registered with our technical support staff, and should be configured to obtain an IP address using DHCP. Manually assigned IP addresses are not to be used on a departmental network at any time without the prior approval by the technical support staff.
- Installation of all vendor-supplied security-related software updates or patches will be done on a regular and timely basis, as they become available. This includes maintaining up-to-date anti-virus software on all applicable systems. This remains the owner’s responsibility, but support staff may assist in this task if requested.
- Information about security-related updates for the applicable software will be obtained on a regular and timely basis, by whatever means available and applicable that are deemed most reasonable, e.g. subscription to a mailing list, consulting applicable news groups or web sites.
- Technical support staff will be consulted for authorization prior to any changes in machine configuration which may impact the network or other machines, such as setting up network services, file sharing services (WWW, FTP, Peer-to-peer, or any other similar service).
- Before adding any wireless equipment, router, firewall hardware, or other networking device, technical support staff should be contacted, and they will in turn notify IST/ACN if appropriate.
- Technical support staff should be provided with access to the machine, including administrative-level access, at setup time, to allow rapid response if/when problems occur. If this is not done, immediate disconnection of the machine from departmental and university networks is to be expected if problems arise, and re-connection will not be permitted until all problems are satisfactorily resolved.
- Technical support staff will be allowed to perform security analysis on the machine, either locally (by logging into the machine) or remotely (using appropriate network monitoring and scanning tools), periodically or as required. Technical support staff will report any vulnerabilities thus discovered to the machine’s owner.
- Reasonable access control mechanisms will be used to ensure that the machine is accessible only to authorized users. This would include controlling physical access to the machine, use of secure and private passwords by all users, and disabling of any vulnerable accounts, such as guest accounts or other similar initial accounts with weak passwords or no passwords at all, and/or whatever other access control is appropriate for the software being used.
- If the maintenance of a system is delegated to someone other than the owner (for example, to a graduate student), the technical staff should be informed of this delegation. In case of problems caused by improper maintenance, the responsibility remains with the owner.
Failure by the owner or designated third parties to comply with these guidelines can result in immediate removal of the affected machine(s) from the network. Other subsequent actions may be taken by the technical staff after consultation with the Department Head for approval. Technical support staff reserve the right to take reasonable measures to address problems that do arise, without the owner’s explicit permission, if the problems affect other machines or users of the network. The Department reserves the right to restrict or deny further access to the network by the affected machine(s) if problems are not addressed.