This policy applies to all computer systems connected to
the LBNL network. This policy does not apply to systems on
the visitor network (e.g. wireless network).
These requirements will evolve with changing technology and
threats.
1.
Operating System Patched
Applicable: All Operating Systems (Windows, Macintosh, UNIX/Linux)
Computer systems must install software patches to address
security flaws in the operating systems. In addition, systems
with automatic update functionality should enable that function
so patches are installed in a timely manner.
Example: all Macintosh systems should enable "Software
Update" and all Windows systems should enable "Automatic
Updates".
2.
Network Services Secured
Applicable: All Operating Systems (Windows, Macintosh, UNIX/Linux)
Computer systems must only offer network services needed
to support programmatic work. Systems must not offer unnecessary
network services. Network services offered by computer systems
must be patched to address security flaws in the service.
Network service offerings must be limited to systems and
networks requiring access to the service. Systems must not
offer services to the entirety of the Internet unless that
is the desired scope of the service. One convenient way
to limit the scope of systems with access is to use a firewall.
Example: a system running an http server with content that
only need be accessible from inside of the LBNL perimeter
should only allow connections from inside of the LBNL perimeter.
3.
Meet Password Complexity
Applicable: All Operating Systems (Windows, Macintosh, UNIX/Linux)
Computer systems must use passwords that meet the LBNL
RPM requirements . All passwords used on the system
must meet this requirement; this includes user account passwords
as well as network service passwords. Programs which store credentials, such as SSH keys, web browser password stores, PasswordSafe, and KeyChain, must by protected by a password that meets the RPM requirement.
Example: OSX user accounts must meet the RPM requirements. SSH keys must have a passphrase that meets RPM requirements.
4.
No Clear Text Authentication
Applicable: All Operating Systems (Windows, Macintosh, UNIX/Linux)
Authentication to LBNL computer systems must be encrypted.
Authentication that passes the password of an account in
clear text is forbidden.
Example: LBNL systems must not use Telnet.
5.
Antivirus
Applicable: Windows
Computer systems must run antivirus protection. Antivirus
protection must automatically update on a regular interval
to ensure a current set of virus definitions.
Example: Symantec is site licensed and available here.
The default install will update definitions regularly.
6.
Windows Security Template
Applicable: Windows XP
Computer systems must install the Window Security Template.
Using NIST guidance, CPP and the IT division have developed
a collection of security settings for Windows systems. This
collection of security settings is grouped to form a security
template.
Example: security template applies RPM password policy
to workstations.
7.
Appropriate Logging
Applicable: UNIX/Linux and OSX
Computer systems must log to the central syslog server.
Any time your host records log information it will also
be sent to the central
syslog server.
8.
Host Registration
Applicable: All Operating Systems (Windows, Macintosh, UNIX/Linux)
As of July 1, 2008, host registration has been suspended until further notice. Please consider including your EPO or other descriptive information in your DHCP host name (eolawrence-m99.dhcp.lbl.gov). You must still have up to date contact information on file with LBLnet for your fixed IP address.
9.
Physical Security
Applicable: All Operating Systems (Windows, Macintosh, UNIX/Linux)
Computer systems must ensure appropriate physical security
measures are taken to protect the system and any portable
media from unauthorized access, manipulation, or theft.
Additional precautions must be taken to protect the assets
when they are not at the LBNL site.
Example: An LBNL laptop system should not be left unattended
in a public area.
Some systems may be unable to meet minimum requirements.
The following are examples, there may be more.
1. Computer system can not technically meet the
minimum security requirements
Examples of this type of computer system include legacy
operating systems such as Windows NT or Redhat Linux 6.1
that do not have patches for some vulnerability.
2. Computer systems can not operationally meet the
minimum security requirements
Example of this type of computer systems includes devices
that perform experiments, such as genome sequencing or systems
used in the ALS control. These devices may have requirements
such that they cannot be patched and rebooted due to uptime
requirements.
3. Computer system can not cost effectively meet
the minimum security requirements
In some circumstance the cost/benefit calculation for a
system meeting the minimum security requirements may require
accepting the risk of the system not meeting the requirements.
For example, outfitting all networking hardware to support
encrypted authentication is cost prohibitive in the short
term.
The easiest way to ensure Windows computers meet minimum
security requirements is to join them to Active Directory.
The default policies on Active Directory ensures computers
have the latest patches, complex passwords, the security template,
and a firewall enabled to limit network services. For more
information on joining Active Directory please visit How
to Join Your Computer to Active Directory.
