Greater Saskatoon
Catholic Schools
I.T. Networked Devices Standards
1.0 Overview
In order to ensure the security of the GSCS network, and all users connected to
the network, all devices attached to the network must meet minimum security
requirements as defined in these stardards.
2.0 Purpose
The purpose of this document is to specify guidelines and requirements for all
devices connected to the GSCS network.
Any connected device must meet the requirements listed in this policy
prior to being allowed on the GSCS network, with access to network resources.
The only exclusions to these standards are those devices
which will connect only to the GSCS Guest Network.
3.0 Scope
These standards apply to any device which is connected to any GSCS network,
excluding the GSCS Guest Network.
The GSCS mandates that all devices connected to the GSCS
network comply with the requirements defined in Section 4.0 of this document.
Compliance with this policy helps protect not only the individual device, but
also other devices connected through the electronic communications network. The
standard is intended to prevent exploitation of GSCS resources by unauthorized
individuals, including the use of GSCS resources by unauthorized individuals to
attack other systems on the GSCS electronic communications network or the
Internet.
4.0 Standards
4.1 Software Patch
Updates
GSCS networked
devices must only run software for which security patches are made available in
a timely fashion. All currently available security patches must be applied on a
schedule appropriate to the severity of the risk they mitigate.
4.1.1
Description of Risk
Security exploits in
software are uncovered on a daily basis. Vulnerabilities in software may be
exploited to compromise systems resulting in data theft or the use of
compromised systems to launch attacks.
4.1.2
Recommendations
Effective patch
management requires a process to identify vulnerable software, evaluate
available patches, test and deploy those patches, and confirm their successful
installation. Most operating system (OS) vendors include a solution for
patching, but such solutions typically cover only the OS itself. It is critical
to supplement these solutions with application patching.
GSCS owned equipment
is patched via automated processes for all authorized and installed software
applications, alleviating the end user of any requirement for manual
intervention.
For non-GSCS owned
equipment, the end user is responsible for maintaining all patch updates. The
GSCS reserves the right to deny access to any devices found that are not
running the latest patch revisions
4.2 Anti-malware
Software
For devices for which
anti-malware software is available, anti-malware software must be running and
up-to-date. In addition, the software must run real-time scanning and/or scan
the device regularly.
4.2.1
Description of Risk
Malware is short for
“malicious software” and broadly describes all software that is designed to
provide unauthorized access or perform unauthorized actions on a system. The
impact of malware can range from minor system performance issues to complete
hard drive deletion or even full, remote control of a system by an attacker. It
is important to detect malware before it infects a system.
Anti-malware is a
standard and necessary layer of protection for networked systems and an
anti-malware product is available free of charge to campus students, staff and
faculty. Ensure that the software receives regular signature updates. These
updates contain information about new viruses and are often delivered multiple
times per week.
While anti-malware
software provides significant protection against malware of all types, it is
not 100% effective. Requirement 4.7 “Privileged Accounts” provides
additional protection against malware which may not be detected by anti-malware
software.
4.2.2
Requirement
All devices connected
to the GSCS network, for which anti-malware software is available, must have it
installed and running.
4.2.2.2
Enable real-time scanning
In order to detect
malware before they are able to infect a system, enable real-time scanning.
Real-time scanning will analyze files and programs as they are copied to a
system in order to prevent the user from unknowingly becoming infected.
4.2.2.3
Edge Cases
This section covers
those devices, such as servers, where real-time scanning creates unacceptable
performance issues.
Some servers, or
other network attached devices, may be operating in an environment where
real-time scanning negatively impacts the performance of the services. In these
cases, ensure that all clients connecting to the server are running
anti-malware software with real-time scanning enabled and schedule anti-malware
scans for the server or device on a weekly basis.
4.3 Host-based
Firewall Software
For Microsoft
Windows, Mac OS X, or Linux/Unix devices for which host-based firewall software
is available, host-based firewall software must be running and configured to
block all inbound traffic that is not explicitly required for the intended use
of the device. Use of a network-based firewall does not obviate the need for
host-based firewalls.
Insufficient
restrictions on system access over the network increases exposure to attack
from viruses, worms, spyware, and may also facilitate undesired access to
resources. Not having a rule which denies incoming traffic by default
unnecessarily exposes a system to compromise.
4.3.1
Requirement
4.3.1.1 Outbound
traffic
Many times firewalls
are configured such that rules are only placed on inbound traffic and allow all
outbound traffic. Restricting outbound traffic provides an additional layer of
security against misuse or data loss in the event of a compromised host and should
be used where appropriate.
4.3.1.2 Log
firewall activity
A firewall will
reduce the likelihood of compromise, but cannot prevent all attacks. Firewall
logs, if enabled, can be used to identify successful attacks. In the event of a
system compromise, these logs are used in forensic analysis to determine the
extent of the compromise and nature of the attack.
Enable logs; retain
at least 30 days of data; and collect at least source and destination IP
addresses and ports, application, protocol, direction, date and time, and rule.
Log files should be
read only, and with write access granted only to the firewall service account.
4.3.1.3 Allow
incoming traffic from the SNS security scanners
Configure your
firewalls to allow network based scanning by System and Network Security (SNS) vulnerability scanners. SNS will
scan hosts on the campus network determining if hosts are vulnerable to common
network threats or if a system appears to have been compromised.
4.3.1.4 Limit
remote desktop access
If remote desktop
access to the host is required, limit remote desktop access to a finite number
of IPs and/or subnets. If the device must be accessed from off-campus, use the
campus VPN pool for remote connectivity.
4.4 Use of
Authentication
Network services and
local (console) device access must require authentication by means of
passphrases or other secure authentication mechanisms unless the explicit
purpose of the service/device is to provide unauthenticated access (for
example: public web servers or public kiosks) and it can do so without readily
allowing it to be used by attackers. Notably, the following network services
must require authentication: proxy services, email (SMTP) relays, wireless access
points, remote desktop, SSH shell access, and printer administrative
interfaces.
Simple devices like
printers, game consoles, DVR’s, media extenders, network attached storage, and
router/firewalls that don't support local authentication are exempt from this
requirement provided that physical access is restricted. This exemption does
not extend to network-facing services running on the device.
Wireless access
points must require strong encryption to associate (such as WPA2), or use a
captive portal or some other strong mechanism to keep casual users near the
access point from using it to get full access to the campus network. WEP or MAC
address restrictions do not meet this requirement.
4.4.1
Description of Risk
Authentication keeps
unauthorized people from using your computer or device. Any computer or device
on the campus network that runs unauthenticated, exploitable network services
is likely to be found by attackers and compromised or abused.
Requiring
authentication to log on to the physical console of your computer may also help
stop people with casual access to your system from installing malware or
stealing your data.
Any network service
that could be used maliciously should be protected by authentication. When
implementing, ensure that authentication methods comply with Requirement 4.8, “Unencrypted
Authentication.”
Full-featured
operating systems like Windows, Mac OS, or Linux must be configured so that all
user accounts have passphrases, and those passphrases are required to login to
the system locally or to use the system remotely (via Remote Desktop/VNC, file
and print sharing, or other services).
4.4.2 Requirement
Network services
running on campus devices must be configured to require authenticated access by
means of passwords or other secure authentication mechanisms unless the
explicit purpose of the service is to provide unauthenticated access (for
example: public web servers) and can do so without readily allowing it to be
used by attackers.
Network services
which are commonly used by attackers and, therefore, must not allow
unauthenticated access include: proxy services, email relays, wireless access
points, remote desktop, SSH shell access, or printer administrative interfaces.
4.4.2.1 Email
Authentication
Email (SMTP) servers
that support encryption and authentication (SMTP AUTH) must require their use
before accepting messages to be relayed to the world. When that is not
possible, other options such as transport mode IPSec should be considered
before falling back to using firewalls to allow unauthenticated access for
specific device IP addresses on trusted subnets.
4.4.2.2 Proxy
Servers
Proxy servers must
require authentication before forwarding or relaying traffic to other hosts.
When that is not possible, other options such as transport mode IPSec should be
considered before falling back to using firewalls to allow unauthenticated
access for specific device IP addresses on trusted subnets.
4.5 No Unencrypted
Authentication
All network-based
authentication must be strongly encrypted. In particular, insecure services
such as Telnet, FTP, SNMP, POP, and IMAP must be replaced by their encrypted
equivalents.
Traffic for one-time password authentication systems (e.g., S/Key, OPIE,
SecureID) is exempted from this encryption requirement.
Anonymous FTP servers
or other services where authentication credentials are requested but not used
are exempt from this requirement.
4.5.1
Description of Risk
Unencrypted
authentication exchanges present the possibility that credentials can be
intercepted by attackers and used to gain authenticated access to the system.
4.5.2
Requirement
All
network-based authentication must be strongly encrypted.
In particular,
historically insecure services such as Telnet, FTP, SNMP, POP, and IMAP must be
replaced by their encrypted equivalents.
Traffic for one-time
password authentication systems (e.g., S/Key, OPIE, SecureID) is exempted from
this encryption requirement, because its exposure does not compromise the
integrity of the underlying authentication system.
Anonymous FTP servers
or other services where authentication credentials are requested but not used
are also exempt from this requirement.
4.5.2.1
Legacy Windows Authentication
Eliminate use of LM
and NTLM (v1) in favor of NTLMv2 or Kerberos.
4.5.2.2 Replace
Services With Their Encrypted Equivalent
Replace FTP with scp,
sftp or ftps. Replace telnet with ssh. After replacing services with weak or
unencrypted authentication with their secure equivalents, disable and if
possible remove the replaced services.
4.6 No Unattended Console Sessions
Unattended computers
must be locked to prevent unauthorized access.
4.6.1 Description of
Risk
Unattended consoles
represent a significant risk to the organization, as unauthorized users can
gain access to system and data that they may normally be prohibited from
accessing. This can compromise the overall security of the network and users on
the network. It can also represent a
significant compromise of the Canadian Information and Personal Privacy Act, as
the unauthorized user could potentially access restricted personal data.
4.6.2
Requirement
Devices must be
configured to "lock" or log out and require a user to re-authenticate
if left unattended for more than 15 minutes, except in the following cases:
4.6.2.1 Devices
without auto-locking/logoff capability
Devices that do not
support a configuration that automatically locks or logs off users after a
specified period of time (such as network appliances and consumer electronics)
may meet this standard through alternate controls, such as physical access
restrictions (e.g., appliance stored in a locked office).
4.7 No Unnecessary
Services
If a network service
is not necessary for the intended purpose or operation of the device, that
service must not be running.
4.7.1
Description of Risk
By definition,
running a network service on a device provides an avenue for communications
with other devices where one did not previously exist. Any service may be
subject to software flaws or poor configurations that introduce security
vulnerabilities leading to compromise. Therefore, network services unnecessary
for the intended purpose or operation of that device should be removed or
disabled to reduce the overall risk.
4.7.2
Recommendations
4.7.2.1 Default
Network Services
Most operating system
vendors have now acknowledged the risk of unnecessary network services;
therefore, it is generally true that more recent operating systems are
configured more securely by default and are preferred. However, all systems
should be hardened. Consult the Center for Internet Security benchmark for your
operating system for specific information about which services can and should
be disabled by default. Instructions for accessing the Center for Internet
Security Benchmark are available at:
4.7.2.2 User-Installed
Software
Besides the operating
system, some user-installed applications provide network services to
communicate with other devices. In many cases these services are required for
the intended operation of the device, and are therefore permitted. However,
some applications install gratuitous network services that are either not
required or are configured to provide network access when only local access is
required. For example, some reporting software installs the Microsoft SQL
service as an add-on even though its services are unnecessary for most users.
When installing new software, query to determine if the install process added
additional network services and determine whether those additional services are
necessary or gratuitous.
4.7.2.3 Edge
Cases
Some network services
may not be strictly necessary to the intended purpose or operation of the
device, but disabling or removing them creates significant barriers to
effective use or management of the device. For example, the “Server” service is
not strictly required for Microsoft Windows workstations to run effectively,
but disabling the “Server” service will make automated desktop management by IT
staff very difficult.
Do not disable or
remove a network service if doing so will create a significant barrier to the
effective use or management of the device. Configure the host-based firewall,
IPSEC or some other mechanism to limit access to the service and mitigate the
risk of exposure to potential vulnerabilities.
4.8 Privileged
Accounts
Privileged and
super-user accounts (Administrator, root, etc.) must not be used for
non-administrator activities. A secure mechanism to escalate privileges (e.g.,
via User Account Control or via sudo) with a standard account is acceptable to
meet this requirement. Network services must run under accounts assigned the
minimum necessary privileges.
4.8.1
Description of Risk
Privileged access
gives a user the ability to perform any task on a device without restriction
and is necessary for the provisioning and administration of the device. For the
following reasons this access should only be used for the duration of those
activities that require it:
4.8.1.2 Accidental
Use
Privileged access
bypasses access controls, so errors made by a privileged user may have
catastrophic consequences, resulting in data loss or significant downtime. For
example, on a Unix system, an extra space may turn “rm –Rf /tmp/olddata” into
“rm –Rf / tmp/olddata”, deleting the entire
file system. Limiting the use of privileged access to only those times when
that access is required reduces the likelihood of this type of error.
4.8.1.3
Malware
Many types of malware
infect and spread by changing system configurations and installing new
services, two activities that are generally limited to privileged users. When
reading email, browsing the web, or accessing files as a privileged user, any
malware a user encounters will also run as a privileged user, bypassing all
access and security controls.
Besides the risk
associated with unnecessary use of privilege by a user, network services that
run as privileged accounts present as significant risk as well. If exploited, a
vulnerability in a network service running as a privileged user will grant the
attacker privileged access to the device, bypassing all access and security
controls.
4.8.2 Requirement
Users must not log in
as or use a super-user (Administrator, root, etc.) or equivalent account for
activities that do not require such access, and network services must run with
the minimum necessary privileges, except in the following case:
4.8.2.1 Devices
that do not support separation of privileges
Devices that do not
provide separate facilities for privileged or unprivileged access (e.g., some
network appliances and printers with embedded operating systems) are exempt
from this requirement.
When working on
devices that do not provide separate facilities for privileged or unprivileged
access (e.g., some network appliances and printers with embedded operating
systems)only stay logged into the device for as long as necessary to perform
the administrative task, then log out.
4.8.2.2 Use sudo or
Run As… instead of logging in as a super-user or using an equivalent group
Instead of logging in
as a super-user or placing a user account in a group that provides privileged
access, utilize operating system features such as “sudo” (Unix/OSX) or “Run
As…” (Windows) which allow for temporary escalation of privileges. If these
features are not available, practice rigorous self-discipline and only log in
as a super-user when necessary.
4.8.2.3 Troubleshoot
software that requires privileged access
Some software,
particularly legacy software on Microsoft Windows, does not run unless the user
is in the Administrators group. In many cases, file and registry access
monitoring tools such as Microsoft Process Monitor or Sysinternals FileMon and
RegMon can determine which access controls need to be changed to allow the
software to run as an unprivileged user.
4.8.2.4 User
Account Control (UAC) on Windows 7
Utilize UAC on
Windows 7 to allow unprivileged users to escalate privileges for legacy
software that must be run as “Administrator”.
5.0 Enforcement
This policy will be enforced by the IT Manager and/or Executive Team.
Violations may result in disciplinary action, which may include suspension,
restriction of access, or more severe penalties up to and including termination
of employment. Where illegal activities or theft of GSCS property (physical or
intellectual) are suspected, GSCS may report such activities to the applicable
authorities.
7.0 Revision History
Revision 1.0, 12/7/2012
Revision 2.0, 8/13/2012