Home » Articles posted by Vaibhav Gupta
Author Archives: Vaibhav Gupta
Duke University/Bio/Evanth Security
Computer Security Policies
The Biology IT Department, in compliance with the Duke University Security office and the Dean of Arts and Sciences, has established strict rules for the base configuration and management of workstations owned and/or operated by Duke University. It is expected that all workstations (both Laptops and Desktops) will comply with the requirements of this standard before being put into production. Any existing laptops and workstations already in production will need to meet the same criteria.
- If you would like to learn more about the University Security Policies please visit their website here: https://security.duke.edu
- If you would like to learn more about Arts and Sciences Security Policies please visit their website here: https://trinity.duke.edu/technology/support/policy-computing-devices-and-senstive-data
All fully supported and Duke owned computers must have the following:
- They will be registered on the private network
- Symantec Antivirus
- Endpoint Management software (BigFix, SCCM, Casper)
- Hard Drives must have Full Disk encryption (FileVault or BitLocker)
- Local bioadmin Accounts with unique password assigned to each OS
- All Biology laptops will be labeled externally with the Biology logo
- Only IT approved fully encrypted HD’s will be purchased for backups
- IT Specific external HD’s for use as backup w/256bit file encryption
-
SSH is disabled by default on all machines, unless an exception has been requested and provided by the IT manager for a specific need or purpose
When an exception has been provided machines with SSH enabled will be provided a static IP and placed on the private network
Biology IT required response to security incidents/reports from ITSO
- Low/Medium risk incident reports – IT will respond and remedy within 10 business days.
- High risk/Outbound attacks – IT will immediately remove the computer from the network. The computer is not allowed back on the network until it has been erased, rebuilt, and verified by the IT Manager.
Windows XP machines – unable to be upgraded and required network access
- All Windows XP computers are to be removed from the network and replaced (exceptions can be made by IT Manager due to hardware requirements however they will not be allowed on the network unless an exception has been made by the Duke Security office; once the hardware dies there is no replacement)
PCs given exceptions by Duke Security Office must meet the following requirements:
- Place on private Vlan
- Internet Explorer disabled
- Firefox/Chrome installed
- McAfee removed and replaced with Symantec Antivirus
- Symantec Firewall enabled, blocking all incoming and outbound traffic
- Duke only sites/systems allowed
- Removed from ActiveDomain / All current ActiveDomain accounts deleted
- Bioadmin account setup
- Added to Big Fix to receive security patches
Windows 7/10 (Windows 8.1 is to be upgraded)
- Encrypted hard drives as part of the imaging process using BitLocker
- Fully patched OS
- Local bioadmin account
Macintosh 2008 Hardware and below unable to be upgraded past 10.6.8
- All computers are to be removed from the network and replaced (exceptions can be made by IT Manager due to hardware requirements however they will not be allowed on the network; once the hardware dies there is no replacement)
Macintosh 2011 and above Hardware
- All laptops will have the firmware password enabled
- Root will be disabled
- Hard drives will be encrypted as part of the imaging process using FileVault
- Fully patched OS
- Local bioadmin account
Macintosh iOS devices
- Enrolled in endpoint management software (Casper server)
- Prey anti-theft software installed
- Added to Biology DEP
Personally Owned Machines that need to be registered on the Biology Wired Network
- Running Fully Supported Operating system and is fully patched
- Symantec Antivirus installed
- Using Duke Blue Encrypted Wireless
- Hard Drive must have Full Disk encryption enabled (using BitLocker or FileVault2)
*Passwords and encryption keys will be stored in a secure encrypted location and will only be available to the IT Manager; Department Manager and Department Chair
Hacking Computer Accounts/Passwords
- The Biology/EA IT staff will not use out-of-band cracking tools to recover or reset forgotten passwords on computers. Computers that have been set up through the normal procedures and registered with our department will have an administrative account of some type that can be used for this purpose, but personal machines and self-administered machines may not. If there is no local admin account (or ability to log into the WIN.DUKE.EDU domain and use the associated administrative group), the Biology/EA IT staff will not be able to perform further action. Reinstallation of the OS may be performed if the computer meets the requirements outlined in the Supported Operating Systems and Supported Hardware sections above.
- Biology/EA IT Staff will not under any circumstances take/use any user’s personal passwords to access a computer.