Greater Saskatoon Catholic Schools
I.T. Networked Devices Standards
In order to ensure the security of the GSCS network, and all users connected to the network, all devices attached to the network must meet minimum security requirements as defined in these stardards.
The purpose of this document is to specify guidelines and requirements for all devices connected to the GSCS network. Any connected device must meet the requirements listed in this policy prior to being allowed on the GSCS network, with access to network resources.
The only exclusions to these standards are those devices which will connect only to the GSCS Guest Network.
These standards apply to any device which is connected to any GSCS network, excluding the GSCS Guest Network.
The GSCS mandates that all devices connected to the GSCS
network comply with the requirements defined in Section 4.0 of this document.
Compliance with this policy helps protect not only the individual device, but also other devices connected through the electronic communications network. The standard is intended to prevent exploitation of GSCS resources by unauthorized individuals, including the use of GSCS resources by unauthorized individuals to attack other systems on the GSCS electronic communications network or the Internet.
4.1 Software Patch
GSCS networked devices must only run software for which security patches are made available in a timely fashion. All currently available security patches must be applied on a schedule appropriate to the severity of the risk they mitigate.
4.1.1 Description of Risk
Security exploits in software are uncovered on a daily basis. Vulnerabilities in software may be exploited to compromise systems resulting in data theft or the use of compromised systems to launch attacks.
Effective patch management requires a process to identify vulnerable software, evaluate available patches, test and deploy those patches, and confirm their successful installation. Most operating system (OS) vendors include a solution for patching, but such solutions typically cover only the OS itself. It is critical to supplement these solutions with application patching.
GSCS owned equipment is patched via automated processes for all authorized and installed software applications, alleviating the end user of any requirement for manual intervention.
For non-GSCS owned equipment, the end user is responsible for maintaining all patch updates. The GSCS reserves the right to deny access to any devices found that are not running the latest patch revisions
4.2 Anti-malware Software
For devices for which anti-malware software is available, anti-malware software must be running and up-to-date. In addition, the software must run real-time scanning and/or scan the device regularly.
4.2.1 Description of Risk
Malware is short for “malicious software” and broadly describes all software that is designed to provide unauthorized access or perform unauthorized actions on a system. The impact of malware can range from minor system performance issues to complete hard drive deletion or even full, remote control of a system by an attacker. It is important to detect malware before it infects a system.
Anti-malware is a standard and necessary layer of protection for networked systems and an anti-malware product is available free of charge to campus students, staff and faculty. Ensure that the software receives regular signature updates. These updates contain information about new viruses and are often delivered multiple times per week.
While anti-malware software provides significant protection against malware of all types, it is not 100% effective. Requirement 4.7 “Privileged Accounts” provides additional protection against malware which may not be detected by anti-malware software.
All devices connected to the GSCS network, for which anti-malware software is available, must have it installed and running.
188.8.131.52 Enable real-time scanning
In order to detect malware before they are able to infect a system, enable real-time scanning. Real-time scanning will analyze files and programs as they are copied to a system in order to prevent the user from unknowingly becoming infected.
184.108.40.206 Edge Cases
This section covers those devices, such as servers, where real-time scanning creates unacceptable performance issues.
Some servers, or other network attached devices, may be operating in an environment where real-time scanning negatively impacts the performance of the services. In these cases, ensure that all clients connecting to the server are running anti-malware software with real-time scanning enabled and schedule anti-malware scans for the server or device on a weekly basis.
4.3 Host-based Firewall Software
For Microsoft Windows, Mac OS X, or Linux/Unix devices for which host-based firewall software is available, host-based firewall software must be running and configured to block all inbound traffic that is not explicitly required for the intended use of the device. Use of a network-based firewall does not obviate the need for host-based firewalls.
Insufficient restrictions on system access over the network increases exposure to attack from viruses, worms, spyware, and may also facilitate undesired access to resources. Not having a rule which denies incoming traffic by default unnecessarily exposes a system to compromise.
220.127.116.11 Outbound traffic
Many times firewalls are configured such that rules are only placed on inbound traffic and allow all outbound traffic. Restricting outbound traffic provides an additional layer of security against misuse or data loss in the event of a compromised host and should be used where appropriate.
18.104.22.168 Log firewall activity
A firewall will reduce the likelihood of compromise, but cannot prevent all attacks. Firewall logs, if enabled, can be used to identify successful attacks. In the event of a system compromise, these logs are used in forensic analysis to determine the extent of the compromise and nature of the attack.
Enable logs; retain at least 30 days of data; and collect at least source and destination IP addresses and ports, application, protocol, direction, date and time, and rule.
Log files should be read only, and with write access granted only to the firewall service account.
22.214.171.124 Allow incoming traffic from the SNS security scanners
Configure your firewalls to allow network based scanning by System and Network Security (SNS) vulnerability scanners. SNS will scan hosts on the campus network determining if hosts are vulnerable to common network threats or if a system appears to have been compromised.
126.96.36.199 Limit remote desktop access
If remote desktop access to the host is required, limit remote desktop access to a finite number of IPs and/or subnets. If the device must be accessed from off-campus, use the campus VPN pool for remote connectivity.
4.4 Use of Authentication
Network services and local (console) device access must require authentication by means of passphrases or other secure authentication mechanisms unless the explicit purpose of the service/device is to provide unauthenticated access (for example: public web servers or public kiosks) and it can do so without readily allowing it to be used by attackers. Notably, the following network services must require authentication: proxy services, email (SMTP) relays, wireless access points, remote desktop, SSH shell access, and printer administrative interfaces.
Simple devices like printers, game consoles, DVR’s, media extenders, network attached storage, and router/firewalls that don't support local authentication are exempt from this requirement provided that physical access is restricted. This exemption does not extend to network-facing services running on the device.
Wireless access points must require strong encryption to associate (such as WPA2), or use a captive portal or some other strong mechanism to keep casual users near the access point from using it to get full access to the campus network. WEP or MAC address restrictions do not meet this requirement.
4.4.1 Description of Risk
Authentication keeps unauthorized people from using your computer or device. Any computer or device on the campus network that runs unauthenticated, exploitable network services is likely to be found by attackers and compromised or abused.
Requiring authentication to log on to the physical console of your computer may also help stop people with casual access to your system from installing malware or stealing your data.
Any network service that could be used maliciously should be protected by authentication. When implementing, ensure that authentication methods comply with Requirement 4.8, “Unencrypted Authentication.”
Full-featured operating systems like Windows, Mac OS, or Linux must be configured so that all user accounts have passphrases, and those passphrases are required to login to the system locally or to use the system remotely (via Remote Desktop/VNC, file and print sharing, or other services).
Network services running on campus devices must be configured to require authenticated access by means of passwords or other secure authentication mechanisms unless the explicit purpose of the service is to provide unauthenticated access (for example: public web servers) and can do so without readily allowing it to be used by attackers.
Network services which are commonly used by attackers and, therefore, must not allow unauthenticated access include: proxy services, email relays, wireless access points, remote desktop, SSH shell access, or printer administrative interfaces.
188.8.131.52 Email Authentication
Email (SMTP) servers that support encryption and authentication (SMTP AUTH) must require their use before accepting messages to be relayed to the world. When that is not possible, other options such as transport mode IPSec should be considered before falling back to using firewalls to allow unauthenticated access for specific device IP addresses on trusted subnets.
184.108.40.206 Proxy Servers
Proxy servers must require authentication before forwarding or relaying traffic to other hosts. When that is not possible, other options such as transport mode IPSec should be considered before falling back to using firewalls to allow unauthenticated access for specific device IP addresses on trusted subnets.
4.5 No Unencrypted Authentication
authentication must be strongly encrypted. In particular, insecure services
such as Telnet, FTP, SNMP, POP, and IMAP must be replaced by their encrypted
Traffic for one-time password authentication systems (e.g., S/Key, OPIE, SecureID) is exempted from this encryption requirement.
Anonymous FTP servers or other services where authentication credentials are requested but not used are exempt from this requirement.
4.5.1 Description of Risk
Unencrypted authentication exchanges present the possibility that credentials can be intercepted by attackers and used to gain authenticated access to the system.
All network-based authentication must be strongly encrypted.
In particular, historically insecure services such as Telnet, FTP, SNMP, POP, and IMAP must be replaced by their encrypted equivalents.
Traffic for one-time password authentication systems (e.g., S/Key, OPIE, SecureID) is exempted from this encryption requirement, because its exposure does not compromise the integrity of the underlying authentication system.
Anonymous FTP servers or other services where authentication credentials are requested but not used are also exempt from this requirement.
220.127.116.11 Legacy Windows Authentication
Eliminate use of LM and NTLM (v1) in favor of NTLMv2 or Kerberos.
18.104.22.168 Replace Services With Their Encrypted Equivalent
Replace FTP with scp, sftp or ftps. Replace telnet with ssh. After replacing services with weak or unencrypted authentication with their secure equivalents, disable and if possible remove the replaced services.
Unattended computers must be locked to prevent unauthorized access.
4.6.1 Description of Risk
Unattended consoles represent a significant risk to the organization, as unauthorized users can gain access to system and data that they may normally be prohibited from accessing. This can compromise the overall security of the network and users on the network. It can also represent a significant compromise of the Canadian Information and Personal Privacy Act, as the unauthorized user could potentially access restricted personal data.
Devices must be configured to "lock" or log out and require a user to re-authenticate if left unattended for more than 15 minutes, except in the following cases:
22.214.171.124 Devices without auto-locking/logoff capability
Devices that do not support a configuration that automatically locks or logs off users after a specified period of time (such as network appliances and consumer electronics) may meet this standard through alternate controls, such as physical access restrictions (e.g., appliance stored in a locked office).
4.7 No Unnecessary Services
If a network service is not necessary for the intended purpose or operation of the device, that service must not be running.
4.7.1 Description of Risk
By definition, running a network service on a device provides an avenue for communications with other devices where one did not previously exist. Any service may be subject to software flaws or poor configurations that introduce security vulnerabilities leading to compromise. Therefore, network services unnecessary for the intended purpose or operation of that device should be removed or disabled to reduce the overall risk.
126.96.36.199 Default Network Services
Most operating system vendors have now acknowledged the risk of unnecessary network services; therefore, it is generally true that more recent operating systems are configured more securely by default and are preferred. However, all systems should be hardened. Consult the Center for Internet Security benchmark for your operating system for specific information about which services can and should be disabled by default. Instructions for accessing the Center for Internet Security Benchmark are available at:
188.8.131.52 User-Installed Software
Besides the operating system, some user-installed applications provide network services to communicate with other devices. In many cases these services are required for the intended operation of the device, and are therefore permitted. However, some applications install gratuitous network services that are either not required or are configured to provide network access when only local access is required. For example, some reporting software installs the Microsoft SQL service as an add-on even though its services are unnecessary for most users. When installing new software, query to determine if the install process added additional network services and determine whether those additional services are necessary or gratuitous.
184.108.40.206 Edge Cases
Some network services may not be strictly necessary to the intended purpose or operation of the device, but disabling or removing them creates significant barriers to effective use or management of the device. For example, the “Server” service is not strictly required for Microsoft Windows workstations to run effectively, but disabling the “Server” service will make automated desktop management by IT staff very difficult.
Do not disable or remove a network service if doing so will create a significant barrier to the effective use or management of the device. Configure the host-based firewall, IPSEC or some other mechanism to limit access to the service and mitigate the risk of exposure to potential vulnerabilities.
4.8 Privileged Accounts
Privileged and super-user accounts (Administrator, root, etc.) must not be used for non-administrator activities. A secure mechanism to escalate privileges (e.g., via User Account Control or via sudo) with a standard account is acceptable to meet this requirement. Network services must run under accounts assigned the minimum necessary privileges.
4.8.1 Description of Risk
Privileged access gives a user the ability to perform any task on a device without restriction and is necessary for the provisioning and administration of the device. For the following reasons this access should only be used for the duration of those activities that require it:
220.127.116.11 Accidental Use
Privileged access bypasses access controls, so errors made by a privileged user may have catastrophic consequences, resulting in data loss or significant downtime. For example, on a Unix system, an extra space may turn “rm –Rf /tmp/olddata” into “rm –Rf / tmp/olddata”, deleting the entire file system. Limiting the use of privileged access to only those times when that access is required reduces the likelihood of this type of error.
Many types of malware infect and spread by changing system configurations and installing new services, two activities that are generally limited to privileged users. When reading email, browsing the web, or accessing files as a privileged user, any malware a user encounters will also run as a privileged user, bypassing all access and security controls.
Besides the risk associated with unnecessary use of privilege by a user, network services that run as privileged accounts present as significant risk as well. If exploited, a vulnerability in a network service running as a privileged user will grant the attacker privileged access to the device, bypassing all access and security controls.
Users must not log in as or use a super-user (Administrator, root, etc.) or equivalent account for activities that do not require such access, and network services must run with the minimum necessary privileges, except in the following case:
18.104.22.168 Devices that do not support separation of privileges
Devices that do not provide separate facilities for privileged or unprivileged access (e.g., some network appliances and printers with embedded operating systems) are exempt from this requirement.
When working on devices that do not provide separate facilities for privileged or unprivileged access (e.g., some network appliances and printers with embedded operating systems)only stay logged into the device for as long as necessary to perform the administrative task, then log out.
22.214.171.124 Use sudo or Run As… instead of logging in as a super-user or using an equivalent group
Instead of logging in as a super-user or placing a user account in a group that provides privileged access, utilize operating system features such as “sudo” (Unix/OSX) or “Run As…” (Windows) which allow for temporary escalation of privileges. If these features are not available, practice rigorous self-discipline and only log in as a super-user when necessary.
126.96.36.199 Troubleshoot software that requires privileged access
Some software, particularly legacy software on Microsoft Windows, does not run unless the user is in the Administrators group. In many cases, file and registry access monitoring tools such as Microsoft Process Monitor or Sysinternals FileMon and RegMon can determine which access controls need to be changed to allow the software to run as an unprivileged user.
188.8.131.52 User Account Control (UAC) on Windows 7
Utilize UAC on Windows 7 to allow unprivileged users to escalate privileges for legacy software that must be run as “Administrator”.
This policy will be enforced by the IT Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of GSCS property (physical or intellectual) are suspected, GSCS may report such activities to the applicable authorities.
7.0 Revision History
Revision 1.0, 12/7/2012
Revision 2.0, 8/13/2012