Computer Security Policies
The Biology/EA IT Department, in compliance with the Duke University Security office and the Dean of Arts and Sciences, has established strict rules for the base configuration and management of workstations owned and/or operated by Duke University. It is expected that all workstations (both Laptops and Desktops) will comply with the requirements of this standard before being put into production. Any existing laptops and workstations already in production will need to meet the same criteria.
- If you would like to learn more about the University Security Policies please visit their website here: https://security.duke.edu
- If you would like to learn more about Arts and Sciences Security Policies please visit their website:
https://trinity.duke.edu/technology/support/policy-computing-devices-and-senstive-data
All fully supported and Duke owned computers must have the following:
- Crowdstrike
- Endpoint Management software (BigFix, SCCM, JAMF)
- Fully encrypted system and internal drives (FileVault or BitLocker)
- A Local bioadmin account with unique password assigned to each OS
- A Biology logo affixed to all Biology laptops
- IT approved fully encrypted drives for backups
- IT approved external drives for use as backup w/256bit file encryption
-
SSH protocol disabled, unless an exception has been approved by the IT manager for a specific need or purpose
-
When an exception has been provided machines with SSH enabled will be provided a static IP and placed on the private network
-
-
A connection to the private network space
Biology/EA IT required response to security incidents/reports from ITSO
- Low/Medium risk incident reports – IT will respond and remedy within 10 business days.
- High risk/Outbound attacks – IT will immediately remove the computer from the network. The computer is not allowed back on the network until it has been erased, rebuilt, and verified by the IT Manager.
Windows XP and Windows 7 machines with approved exceptions – unable to be upgraded and required network access
- All Windows XP and Windows 7 computers are to be removed from the network and replaced (exceptions can be made by IT Manager due to hardware requirements however they will not be allowed on the network unless an exception has been made by the Duke Security office; once the hardware dies there is no replacement)
PCs given exceptions by Duke Security Office must meet the following requirements:
- Place on private Vlan
- Internet Explorer disabled
- Firefox/Chrome installed
- McAfee removed and replaced with Symantec Antivirus
- Symantec Firewall enabled, blocking all incoming and outbound traffic
- Duke only sites/systems allowed
- Removed from ActiveDomain / All current ActiveDomain accounts deleted
- Bioadmin account setup
- Added to Big Fix to receive security patches
Windows 10
- Encrypted hard drives as part of the imaging process using BitLocker
- Fully patched OS
- Local bioadmin account
- Added to Big Fix to receive security patches
Linux OS (RHEL 8, Centos 7)
- Encrypted hard drives
- Fully patched OS
- Root user is disabled
- Bioadmin account setup
Macintosh 2008 Hardware and below unable to be upgraded past 10.6.8
- All computers are to be removed from the network and replaced (exceptions can be made by IT Manager due to hardware requirements however they will not be allowed on the network; once the hardware dies there is no replacement)
Macintosh 2011 and above Hardware
- All laptops will have the firmware password enabled
- Root account will be disabled
- Hard drives will be encrypted using FileVault
- Fully patched OS
- Root user disabled
- Local bioadmin account
*Passwords and encryption keys will be stored in a secure encrypted location and will only be available to the IT Manager; Department Manager and Department Chair
Macintosh iOS devices
- Enrolled in endpoint management software (JAMF server)
- Prey anti-theft software installed
- Added to Biology DEP
Personally Owned Machines that need to be registered on the Biology Wired Network Require
- A fully patched Supported Operating system
- Antivirus software
- Duke Blue Encrypted Wireless
- Internal Drive(s) must encrypted using BitLocker or FileVault
- Firmware password (Apple systems only)
Hacking Computer Accounts/Passwords
- The Biology/EA IT staff will not use out-of-band cracking tools to recover or reset forgotten passwords on computers. Computers that have been set up through the normal procedures and registered with our department will have an administrative account of some type that can be used for this purpose, but personal machines and self-administered machines may not. If there is no local admin account (or ability to log into the WIN.DUKE.EDU domain and use the associated administrative group), the Biology/EA IT staff will not be able to perform further action. Reinstallation of the OS may be performed if the computer meets the requirements outlined in the Supported Operating Systems and Supported Hardware sections above.
- Biology/EA IT Staff will not under any circumstances take/use any user’s personal passwords to access a computer.