Workstation Best Practices
The purpose of this document is to provide guidelines for best security practices when installing new workstations (or reconfiguring old workstations) on the Texas State campus network. This document is "OS-independent". In other words, the specifics of HOW to implement these practices on a particular OS are left to the technicians responsible for those workstations and operating systems.
It is not the purpose of this document to provide the information necessary to correctly administer a workstation. It is assumed that the technicians responsible for implementing these practices are knowledgeable of the operating system they have chosen, the hardware on which it runs and any applications that they intend to install on it. The technician is expected to already have that expertise or to obtain it before administering workstations on the Texas State network.
The first thing that must be understood about security is that it is not a destination at which you arrive. It is an ongoing, set of tasks and activities that requires daily attention and expertise. The most highly secured workstation in the world can quickly become insecure from lack of daily attention.
No workstation should be connected to the Texas State network until the following items have been accomplished:
- All security patches for the selected OS and applications have been applied.
- All documentation (licenses, vendor-supplied documents, etc.) is available and secured in a plastic, lockable bag attached to the workstation.
- The OS has been properly installed and configured.
- All "network application" services have been disabled (e.g. HTTP, telnet, FTP, SMTP, DNS, etc). No services should be enabled on a workstation unless they are absolutely necessary for operating the workstation. Workstations should never host web, ftp, smtp, dns, or telnet services.
- A viable process is in place to maintain the workstation properly, including consistent regular patching of the OS and all applications.
- All passwords must conform to Password Security best practices and accessible only to the password's owner.
- Workstations should never be used as servers.
- "Owners" should not use an account that has administrative access to the workstation for routine work. A separate account should be used for administrative access (such as "root" or "Administrator") and the owner should login as the administrator when administrative access is required and logout when the work is completed.
Connecting to the Network
- No workstation should be connected to the Texas State network without the knowledge and consent of qualified technical personnel.
- No workstation should be connected to the Texas State network unless it has virus protection in place and it has been properly configured and updated.
- Every workstation should use a dynamically assigned IP address. If the workstation requires a static IP address for some reason, the technician should consult with the Information Technology Assistance Center (ITAC) to establish the requirements.
- Before enabling any services, consult with the Information Technology Assistance Center (ITAC) regarding the proper configuration of the workstation within the appropriate domain.
- Only those services necessary to accomplish the task assigned to a workstation should be enabled. In practice this will mean disabling many services which are enabled by default. The specifics of any particular workstation are left to the technician to determine.
- No workstation is allowed to run DNS, DHCP, NIS+ or a Windows Domain Controller under any circumstances.
- Those services that are enabled should be patched fully and secured properly before being enabled.
Consult the vendor's documentation for proper security procedures for the application in question.
- If the OS provides a stateful firewall (such as ipchains, iptables, ipfw, ipsec, etc.), it should be enabled and only outgoing traffic should be allowed. If the OS does not provide a stateful firewall, consider purchasing one.
- Services which should be restricted, such as ssh, should also have tcpwrappers or a similar program enabled to limit access to authorized personnel only.
- ALL default passwords must be changed immediately. The technician should be thoroughly familiar with the OS and all applications and what the password parameters are of each of them. Consult vendor documentation for the details.
- Passwords should not be written down anywhere. Consider keeping an encrypted list of all passwords on a separate, secure machine or device.
- Access to administrator passwords should be limited to the smallest number of people necessary to properly maintain the workstation and allow access to it in case of emergencies.
- All workstations should have access logging enabled.
- Logs should be checked regularly (at least weekly) for unusual access attempts.
- Consider obtaining log "sentry" software which notifies the admin of unusual events by email.
- All workstations with critical data should be backed up on a daily basis so that the maximum data loss, in the event of disaster, is limited to one day.
- Recovery procedures should be tested on a regular basis.
- Backups are the responsibility of the departmental security administrator.
- Sensitive data, such as student records or social security numbers, is protected by legislation (FERPA, HIPAA, ECPA, etc.) and should be available only to users with a valid need-to-know.
- To protect data from disclosure in the event of unauthorized server access, further security measures that obfuscate sensitive data are highly recommended.
Remote Access to Workstations
- If remote access to workstations is necessary, it should be highly restricted, by both username and IP address.
- The use of encryption for remote access is not optional. SSH and VPN should be used in all cases.
- Remote host access should be limited by single IP or by the smallest IP range possible.
- Special attention must be given to remotely accessible machines. Host-based intrusion detection should be installed, logging should be increased, accounts on the workstation should be limited to responsible administrators only and the workstation should be syslogged.