OIT

Information Technology Security Policy » Guidelines

Links

Policy Procedures Guidelines Outlines Unit IT Security Policy Outline Unit IT Documentation Outline Unit IT Business Recovery Plan Outline DDD Memos IT Security Policy

Current Best Practices

Accounts

• The registered user of an account is responsible and liable for all processes initiated from the account.
• All accounts should be secured using a good password.
• There should be no group accounts.
• Remove unneccessary preconfigured or default accounts that have generic or nonexistent passwords.
• Change the password to necessary default accounts before attaching the system to the network.

Authentication

• Passwords should be at least 6 characters.
• A good password is difficult to guess.  It contains alpha, numeric and shift characters.  It cannot be found in the dictionary.  Do not use any part or any form of a word that is easily identified with you including your name, user id, birthday, address, phone number, social security number, etc.
• Do not write passwords down or store them online.
• Never share passwords with anyone.
• Change passwords often, at least every 3 months.
• Passwords should be resistant to computer programs that check previously used passwords or easily compromised passwords.
• Use login banners.

SSH (Secure Shell)

• Replace rlogin, rsh, and rcp with ssh.
• Provides secure X connections and secure forwarding of arbitrary TCP connections.
• SSH instructions for Unix

Trust Relationships

• Avoid using ~/.rhost and /etc/hosts.equiv entries.  Ideally, the .rhost functionality should be permanently disabled. 

TCP/IP

• Edit the inetd configuration to eliminate unnecessary TCP/IP services.
• Keep current on security issues for TCP/IP services that you run.
• Use tcp wrappers.
• Source
• Installation instructions (from the UF Dept. of Physics)

Anonymous FTP

• Place the ftp directory tree in it's own restricted directory area.
• Delete all user account information from the ~ftp/etc/passwd file or replace the encrypted password fields with an asterisk.
• Make the ftp/bin and ftp/etc directories execute only.  Make sure root owns ~ftp/pub, ~ftp/etc, and ~ftp/bin. 
• Make the ~ftp/pub directory read and execute only.
• If you wish to have a place for anonymous users to leave files, create the directory ~ftp/pub/incoming. This directory is owned by root with permissions 733. 

Mail Relay

• The feature 'mail relaying' must be disabled for hosts outside of ufl.edu domain.  If necessary, permissions can be added for specific outside hosts that need to use your mail server. 
• For instructions on how to close the relay on many popular mail transfer agents, click here.

Patches

• Stay up to date on security patches for your operating system.  At the very minimum administrators should check the security updates for their OS every three months. 
• Be alert for University security announcements that may pertain to your OS or equipment.
• It's much easier to keep current on patches than to rebuild a system that has been compromised using an exploit for which a patch exists.
• Maintain current patches
  • Microsoft http://www.microsoft.com/technet/itsolutions/security/current.asp
  • MS Hotfix Tool http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24168
  • Solaris http://www.sun.com/software/solaris/downloads.html#security
  • Redhat 7.2 http://www.redhat.com/support/errata/rh72-errata-security.html
  • Redhat 7.1 http://www.redhat.com/support/errata/rh71-errata-security.html
  • Redhat 7.0 http://www.redhat.com/support/errata/rh7-errata-security.html
  • Redhat 6.2 http://www.redhat.com/support/errata/rh62-errata-security.html
  • SUSE http://www.suse.com/us/support/security/index.html
  • FreeBSD http://www.freebsd.org/security/security.html
  • OpenBSD http://www.openbsd.org/security.html
  • NetBSD http://www.netbsd.org/Security/
  • Mandrake http://www.linux-mandrake.com/en/security/
  • Aix http://techsupport.services.ibm.com/rs6k/ml.fixes.html
  • SGI http://www.sgi.com/support/security/patches.html
  • Caldera http://www.caldera.com/support/security/
  • HPUX http://www.software.hp.com/SUPPORT_PLUS/
  • Novell http://support.novell.com/misc/patlst.htm

Auditing

• Review your logs.  Question unusual traffic patterns. 
• Keep logs secure.

Risk Analysis

• Map the network. 
• List your assets.
• Know your vulnerabilities.

Time Synchronization

• Synchronize time on your server with a reliable NTP server in order to accurately compare event logs with other servers.  This is often necessary, for example, when investigating attacks.
• UF NTP servers.

Verify Binaries

• Make sure that your system files have not been replaced or manipulated by hackers.
• Download Tripwire.

Modems

• Identify all modems on your network.
• Poorly managed or unmanaged desktop modems are often a point of entry for hackers.

Viruses

• Off the shelf virus-scanning tools should be used to scan computers on a regular basis.
• When a virus is detected, the system administrator should be informed.
• Any machine thought to be infected by a virus should immediately be disconnected from all networks. The machine should not be reconnected to the network until system administrator can verify that the virus has been removed.
• The system administrator should inform all users with access to the infected system, explain how to determine if their system infected, and the how to remove the virus.
• Protect email from viruses.
• Educate users on safe email practices.
• Download McAfee.

Backups

• Make full backups weekly.
• Store a backup offsite monthly.
• Test the restore process.

Disaster Plan

• Devise a plan to keep critical services running in case of a disaster such as hurricane.

Equipment Disposal

• When you dispose of old computer equipment, hard disks, diskettes and/or tapes, make sure that the magnetic media is reformatted or degaussed (erased). 

Updated January 29, 2004

OIT Units

Chief Information Officer , Academic Technology, Computing and Networking Services , Network Services, Telecom

Services

Students, Faculty, Staff

Committees

IT Advisory Committee, Academic Technology, Data Infrastructure, High-Performance Computing, Network Infrastructure, Information Security Management, Ad Hoc

Projects

UF Exchange, High Performance Computing, AT Grid, Active Directory Project, Microsoft Campus Agreement, more...

Policies

Acceptable Use (AUP), IT Security, IT Strategic Plan, Disabled Access Computing Policy, more...

System Status

Bridges Status, CNS Reported Issues, Gatorlink Mail, ISIS, Outgoing Mail, Network Status, Webadmin Sites, Webmail

Training

Students, Faculty, Staff, Other Resources

Topics of Interest

Charging for Dial Up Services, Gatorlink Eligibility, Email/Gatorlink Configuration, Connecting to UF , IT Reports

Text-only Version

Search:

OIT Site UF Web with Google UF Phonebook

OIT Units | Services | Committees | Projects | Policies | Training

© University of Florida, Gainesville, FL 32611; (352) 392-1301. Privacy Policy
For Gatorlink/Technical Issues - UF Help Desk - (352) 392-HELP (4357)
Webmaster -

This page was last updated Friday June 13 2008

This page uses Google Analytics (Google Privacy Policy)