UMKC Information Services
Information Security
Networked Device Security Requirements
An implementation of the UMKC Network Policy
Version 0.86 Revised 22-February-2012
Purpose:
This document is an implementation document, related to the UM-System Acceptable Use Policy, the UM-System Information Security Program, and the UMKCnet Connectivity and Usage policy. This document outlines the active requirements related to networked device security, and will be updated periodically as new security changes become necessary.
Additional security is required of Server Systems and Applications as listed in the UM-System Data Classification for Systems and Applications .
Overview:
Any devices connecting to UMKCnet (the campus computer network operated by UMKC Information Services) must maintain a minimum level of security. This includes but is not limited to the use of Antivirus Software for Windows systems, current system patches, and additional software protection such as Host Based Firewall. Other security measures to maintain the minimum security level may be substituted only as defined in this document.
Summary chart:Writable disk-based devices
Security Requirements / Operating
System
Patching / Required -
Implemented / Required –
Partially Implemented /
Required –
NOT Implemented
Notes / 1. UMKC IS has centralized OS patch management for devices running Microsoft Windows operating systems
2. UMKC IS configures MacOS devices to allow the user to approve and apply OS patches and has the capacity to push these patches when necessary
3. Mitigation options for non-compliant devices:
a. Vendor-specified workarounds to ensure vulnerability does not impact the device
b. Two-way firewall between device and campus network
Application
Patching / Required -
Partially Implemented / Required –
Partially Implemented /
Required –
NOT Implemented
Notes / 1. UMKC IS has centralized application patching for select Microsoft, Adobe, Java and Mozilla products with the capacity to push other application patches as necessary
2. UMKC IS has the capacity to push application patches as necessary
3. Mitigation options for non-compliant devices:
a. Vendor-specified workarounds to ensure vulnerability does not impact the device
b. Two-way firewall between device and campus network
Antivirus / Required -
Implemented / Recommended
NOT Required / Recommended
NOT Required
Notes / 1. UMKC IS had centralized antivirus management for Microsoft Windows operating systems
2. UMKC IS does not license antivirus protection for Macintosh and Linux operating systems
3. Mitigation options for non-compliant devices:
a. All disks scanned remotely each week with updated antivirus definitions AND employ software/firewall hardware
b. May be considered exempt from requirement if commercial antivirus software is not available
c. May be considered exempt from requirement if device is firmware-based OR Read-only
Domain Membership / Required -
Implemented / NOT Required / NOT Required
Notes / 1. All devices running Windows operating systems must be joined to the UMKC Active Directory
2. Special learning labs and devices with certain instrumentation attached may be exempted
3. Mitigation options for non-compliant devices:
a. Restricted to single-VLAN network without access to campus network
b. Must be configured to install updates on a weekly basis, and, if not, should have no contact to the campus network
Special Requirements for Select Systems / 1. Systems exempted from traffic filtering through firewall:
a. Must be hardened by industry standards
b. Must have all unnecessary services, processes, protocols and ports disabled
2. Systems which handle sensitive or financial data
a. Must be hardened to industry standards
b. Must have all unnecessary services, processes, protocols and ports disabled
c. Must utilize a local hardware firewall or IPsec with authentication and encryption
d. Must be protected according to applicable governmental regulation
3. Systems which handle “top-secret” information cannot be connected to the UMKC network
4. UMKC IS may require system checks of any device prior to after connecting to the UMKC network
a. Devices failing any area of inquiry may be denied full access to the UMKC network
b. Compromised devices attached to the UMKC network may accrue financial penalties
Implementation:
The networked device security requirements will be implemented as listed below. Devices not following this implementation will be subject to actions and/or penalties listed in the non-compliance section. There are also two ‘additional requirements’ sections for devices that are to have significant Internet exposure, or those that handle sensitive data which could be subject to attack. All implementation costs are the responsibility of the department or individual who owns the device.
Patches:
All devices on the UMKC network must have updated operating system and application patches. Patches for actively exploited flaws must be installed immediately. All ‘Critical’ patches without an active exploit must be installed within 1 month of release. All ‘Important’ patches must be installed within 3 months of release. All Service Packs and ‘Moderate’ or lower patches must be installed within 6 months of release.
Patches that are found to break specific functionality necessary on a device may be considered ‘optional’ if the ‘mitigating actions’ outlined by the vendor for the vulnerability are taken to ensure the device is not impacted by the vulnerability. (Mitigating actions vary by vendor, and may include disabling certain services, or installing alternate third-party fixes that work around the vulnerability.)
For devices that cannot meet these patching requirements, the device should be setup behind a two-way hardware firewall, limiting both inbound traffic and outbound traffic to only those source and destinations ports/addresses absolutely needed for the device to perform the functionality required in authorized use of the device.
Centralized Microsoft OS Patching:
UMKC Information Services (UMKC IS) centralized patch control will be used to push out Microsoft patches within these timelines:
1) 48 hours of a critical Microsoft patch cycle that is actively being exploited.
2) At 2am the following Monday morning for critical patches.
3) At 2am the Monday morning after the 2nd Tuesday for important and low priority patches. (Essentially the Monday following Microsoft’s Patch Tuesday)
This will affect computers joined to the UMKC Active Directory. Groups may request to have certain machines exempted from the normal scheduling cycle on a case by case basis, but must manually patch within the above ‘Patches’ section timeline requirements.
Wake-on-LAN technology will be used to wakeup machines for a patch cycle. In cases where Wake-on-LAN technology is used, the wakeup signal will be sent prior to the actual patch time. The machines that are powered on in this manner, will also be sent a shutdown after the patch and updates time window.
A weekly reboot time for all Windows workstations will be scheduled early each Monday morning. This reboot will clear hung patches and updates. Additional reboots may occur when the actual patches are installed, if a reboot is a requirement of the patch. IT Liaisons who need to exempt specialty machines from reboots may do so at: http://www.umkc.edu/is/handbook/liaisons/mwindows/ and will need to renew this exemption yearly. Additional information on this maintenance window is available at: http://www.umkc.edu/is/handbook/liaisons/mwindows/process.asp
Centralized Windows Application Patching:
Information Services uses centralized application patching on Windows OS computers. This patching is provided through Microsoft SCCM. This is a campus standard tool used to help ensure that common campus applications have the latest available updates. This system is also used to help deploy campus licensed software to departmental machines, and is the preferred method for deployment of licensed software. This system will become necessary for all University owned Windows machines with Microsoft’s 2012 and newer antivirus products.
Antivirus:
All Windows devices on UMKCnet must have Antivirus Software installed, with only certain special exemptions as listed in the Antivirus Mitigation section below.
Information Services will centrally operate an antivirus management server. This server will be used to automate the updates and upgrades that are a part of the centrally licensed antivirus product. This system is limited to University owned machines due to licensing restrictions.
Antivirus Mitigation:
For Windows devices that cannot run Antivirus software, one of the following mitigating steps should be taken:
1) Writable disk-based devices must have Antivirus scans done remotely on all attached disks at least once weekly with updated Antivirus definitions. Writable disk-based devices running Windows that fall under this mitigation section must also employ a software or hardware two-way firewall. These devices should also optionally employ either Full Host IPS or Hardware Buffer Overflow protection technology. Devices in this category are likely to include special instrumentation machines where the vendor has requirements prohibiting Antivirus software due to adverse issues affecting the equipment or system performance.
2) Devices that are firmware based are exempted from the antivirus requirement, such as Thin Client computers. These devices must still conform to the patching requirements. These devices may be assigned to special network VLANs to ensure enhanced protection from network attacks.
3) Devices for which commercial antivirus is not yet available, such as ARM CPU based Windows OS devices, are exempted until such time that commercial antivirus is available.
Windows Domain Membership:
All University purchased or otherwise owned computers running a full Windows Operating System must be joined to the UMKC Active Directory, with only certain special exemptions.
1) Special OS learning labs which involve Active Directory testing and/or OS beta testing do not need to be joined with the central AD, but group policies must be in place in the testing environment to ensure that all such machines are kept up to date, and upon request, access accounts should be provided to Central IT for validation of security updates. Generally when these conditions cannot be met, and with certain beta software, only single-VLAN networks should be used without routed access to the campus main network.
2) Special instrumentation devices that have a companion PC may have certain issues preventing domain membership. These devices must be configured to obtain all updates on at least a weekly basis, and must follow other security practices including account logging and remote administrative access upon request. Generally machines in this group that cannot be joined to Active Directory and which cannot be kept up to date on current patches and/or operating system should have no contact with the main campus network. Such machines should instead use portable media drives (such as a portable drive) for data transfer, or may need to be remotely controlled using an intermediate device such as a Remote Desktop isolation server.
Additional Requirements for Significantly Exposed Systems:
Any device which has been granted an exemption from all traffic filtering through the campus firewall, or which has been placed outside of the campus firewall must adhere to certain additional requirements. These devices must be hardened per industry standards for the type of operating system used. Any such device must also have all unnecessary services, processes, protocols, and TCP-UDP ports disabled, to ensure the smallest attack surface possible.
Additional Requirements for Sensitive Data Systems:
Any system which handles financial account information, such as Credit Card information, must adhere to certain additional requirements. Systems which handle other, highly confidential, or very high value data must also adhere to these additional requirements.
Any system which falls under this particular classification must have a local hardware firewall in use or equivalent traffic protection such as IPsec with authentication and encryption. UMKCnet should be considered a ‘hostile network’ for the purposes of these machines. Additionally, such systems must be protected and hardened according to industry requirements and government regulation that may apply to the affected system. (i.e. PCI for Credit Card systems, etc.)
Top Secret and Security Classified Systems:
Systems which contain data which would generically be considered ‘Top Secret’ or information which meets security isolation requirements similar to and including those found under the Department of Defense, CIA, or other government agency cannot be connected to the UMKC network. Certain data source providers may also require that their data not be used on networked computers.
System Checks:
UMKC IS may require devices to be checked for their security status, prior to being allowed access to the network. The use of these checks does not remove the responsibility that is placed upon the device owner to ensure that the device follows this device security implementation document. These checks only look for obvious security issues, and are used to provide an additional layer of protection to other devices connected to UMKCnet.
These security checks may include proactive checking for missing patches, scanning for exposed security vulnerabilities, and/or checking for active Antivirus Software. Systems not passing such a test may be automatically denied access to the network, or placed into a quarantine network with limited access.
Non-Compliance:
Devices connected to the UMKC network that do not comply with the above guidelines will be subject to being blocked from UMKCnet access. This block may be automated through a compliance scanner or manually implemented.
Devices which are compromised due to not complying with the above guidelines will be subject to a penalty of $250 per hour that the device remains on the campus network and remains infected. This charge is billed to the owning department. This charge starts at the point that UMKC IS places an email or phone call to the known IT Liaison for the department that is responsible for the device, and runs until the device is removed from the network or repaired, whichever comes first.
Student owned devices which are compromised will not be subject to the compromise penalty but will be barred from UMKCnet access until remedial action is taken to resolve the compromised device. The associated student account may be put on hold to prevent reconnection of the compromised device. Student owned devices must still adhere to the patch and antivirus requirements.