• Security Home
• Security Forms
• Policies & Procedures
• Standards & Guidelines
• Breach Notification
• Incident Handling
• Risk Assessment
• Information Security Steering Committee
• Feedback
• Archive

Computing Platform Standard

Introduction
Scope
Administrative Application Servers
Academic Application Servers
Network Application Servers
Client Computers
Public Workstations

1.0 Introduction

1.1 Purpose

This document will establish a framework for the management of MnSCU computing platforms.

1.2 Background

MnSCU has adopted a defense in depth strategy for Information Security. Host security, based on sound data protection strategy, is one layer of the security model.

2.0 Scope

2.1 Users

This standard shall apply to all administrators and managers of MnSCU computing platforms

2.2 Systems

This standard shall apply to all computing platforms that process, handle, or transmit MnSCU data in any form.

2.3 Computing platform types

2.3.1 Administrative Application Servers

Servers that host Administrative applications

2.3.2 Academic Application Servers

Servers that host Academic applications

2.3.3 Network Application Servers

Servers that host Network Applications

2.3.4 Client Computers

Desktop, laptop, PDA, or other computing platforms primarily used as client machines in a client / server relationship

2.3.5 Public Workstations

Computing platforms available for use by the general public, such as kiosks or library research tools.

3.0 Administrative Application Servers

Administrative Application Server configuration shall be determined by business requirements based on server role and data zone requirements.

3.1 General

3.1.1 Procurement

Uncontrolled procurement may introduce unknown risk.

3.1.1.1 Systems

• All Administrative Application Server hardware and software shall be approved by the Information Security Manager or designee.

3.1.1.2 Software

• All software shall be in compliance with licensing requirements.

3.1.2 Tracking

Stewardship responsibilities require assets to be accountable.

• All Administrative Application Servers shall be registered with the asset management system before introduction into ANY security zone.
• Removal of any registered asset shall require approval of the Information Security Manager or designee.

3.1.3 Physical and Environmental considerations

Stewardship responsibilities require locations to be adequate.

• All Administrative Application Servers shall be installed in compliance with all relevant physical and environmental codes and standards.

3.1.4 System Time

Accurate system time is required for proper event reconstruction and forensics.

• All Administrative Application Servers shall synchronize internal system clocks via facility time servers.

3.1.5 Maintenance Ports

Unattended maintenance ports may allow unauthorized escalation of privileges.

• No unattended maintenance ports shall be allowed on any Administrative Application Servers.
• All Administrative Application Server maintenance ports shall have password protected screen savers with a timeout of not more than 5 minutes.

3.1.6 Default username/passwords and accounts

Default username/passwords and accounts may allow unauthorized access to computing platforms.

• All default username/password combinations shall be changed on all Administrative Application Servers.
• All default accounts shall be justified or deleted on all Administrative Application Servers.

3.1.7 User accounts

Active user accounts should be based upon documented business requirements.

• All unnecessary user accounts shall be disabled on all Administrative Application Servers.
• User accounts shall not be shared.

3.1.8 Log-on warnings

Log-on warnings inform users of rights, obligations, and recourse.

• A log-on banner informing users as to authorizations, and recourse shall be presented on each log-on attempt.

3.1.9 Logging

Logging is crucial to accurate event reconstruction.

• All Administrative Application Servers shall enable logging.
• All Administrative Application Server administrative log-ons shall be logged.
• All logging shall be time stamped with NTP synchronized time base
• All Administrative Application Servers shall log to a discreet logfile on an authorized log repository.

3.1.10 Device Naming

Device names should not allow for unauthorized system mapping.

• Administrative Application Servers shall have names that have no relevance to MnSCU, their function, nor their place in the network architecture.

3.1.11 Server changes

Changes must be controlled to ensure consistency.

• All Administrative Application Server shall be governed by a Configuration Control process.
• Any Administrative Application Server change shall require:
  • re-baselining of the host network audit.
  • re-baselining of the host operating system.

3.1.12 Host Integrity

Controls should exist to detect successful or attempted unauthorized changes.

• All Administrative Application Servers shall be protected by a file integrity checking mechanism to insure integrity of OS and application files.
• All file sharing Administrative Application Servers shall implement and maintain a malicious software protection mechanism approved by the Information Security Manager or designee.

3.2 UNRESTRICTED

3.2.1 Operating Systems

• All Administrative Application Server operating systems shall be hardened.
• All hardened operating systems shall be audited, and a baseline established
• All Administrative Application Servers shall run the minimal number of services required to meet their business requirements.

3.2.2 Administration

3.2.2.1 Administrative authorization

• Administrative access shall be limited to authorized roles.

3.2.2.2 Administrative accounts

• Authorized administrators shall have unique accounts

3.2.2.3 Administrative passwords

• All passwords shall be encrypted.
• There shall be no administrator default password.
• Passwords shall be unique for each account.
• Passwords shall expire every 30 days
• Passwords shall be a minimum 8 characters in length
• Passwords shall be a mixture of characters and numbers

3.3 RESTRICTED

3.3.1 Operating Systems

• All Administrative Application Server operating systems shall be hardened.
• All hardened operating systems shall be audited, and a baseline established
• All servers shall run the minimal number of services required to meet their business requirements.

3.3.2 Administration

3.3.2.1 Administrative authorization

• Administrative access shall be limited to authorized roles.

3.3.2.2 Administrative accounts

• Authorized administrators shall have unique accounts

3.3.2.3 Administrative passwords

• All passwords shall be encrypted.
• There shall be no administrator default password.
• Passwords shall be unique for each account.
• Passwords shall expire every 30 days
• Passwords shall be a minimum 8 characters in length
• Passwords shall be a mixture of characters and numbers

3.4 PROTECTED

3.4.1 Operating Systems

• All Administrative Application Server operating systems shall be hardened.
• All hardened operating systems shall be audited, and a baseline established
• All servers shall run the minimal number of services required to meet their business requirements.

3.4.2 Administration

3.4.2.1 Administrative authorization

• Administrative access shall be limited to authorized roles.

3.4.2.2 Administrative accounts

• Authorized administrators shall have unique accounts

3.4.2.3 Administrative passwords

• All passwords shall be encrypted.
• There shall be no administrator default password.
• Passwords shall be unique for each account.
• Passwords shall expire every 30 days
• Passwords shall be a minimum 8 characters in length
• Passwords shall be a mixture of characters and numbers

4.0 Academic Application Servers

Academic Application server configuration shall be determined by business requirements based on server role and data zone requirements.

4.1 General

4.1.1 Procurement

Uncontrolled procurement may introduce unknown risk.

4.1.1.1 Systems

• All Administrative Application Server hardware and software shall be approved by the Information Security Manager or designee.

4.1.1.2 Software

All software shall be in compliance with licensing requirements.

4.1.2 Tracking

Stewardship responsibilities require assets to be accountable.

• All Administrative Application Servers shall be registered with the asset management system before introduction into ANY security zone.
• Removal of any registered asset shall require approval of the Information Security Manager or designee.

4.1.3 Physical and Environmental considerations

Stewardship responsibilities require locations to be adequate.

• All Academic Application Servers shall be installed in compliance with all relevant physical and environmental codes and standards.

4.1.4 System Time

Accurate system time is required for proper event reconstruction and forensics.

• All Academic Application Servers shall synchronize internal system clocks via facility time servers.

4.1.5 Maintenance Ports

Unattended maintenance ports may allow unauthorized escalation of privileges.

• No unattended maintenance ports shall be allowed on any Academic Application Servers.
• All Administrative Application Server maintenance ports shall have password protected screen savers with a timeout of not more than 5 minutes.

4.1.6 Default username/passwords and accounts

Default username/passwords and accounts may allow unauthorized access to computing platforms.

• All default username/password combinations shall be changed on all Academic Application Servers.
• All default accounts shall be justified or deleted on all Academic Application Servers.

4.1.7 User accounts

Active user accounts should be based upon documented business requirements.

• All unnecessary user accounts shall be disabled on all Academic Application Servers.
• User accounts shall not be shared.

4.1.8 Log-on warnings

Log-on warnings inform users of rights, obligations, and recourse.

A log-on banner informing users as to authorizations, and recourse shall be presented on each log-on attempt.

4.1.9 Logging

Logging is crucial to accurate event reconstruction.

• All Academic Application Servers shall enable logging.
• All Academic Server administrative log-ons shall be logged.
• All logging shall be time stamped with NTP synchronized time base
• All Academic Application Servers shall log to a discreet logfile on an authorized log repository.

4.1.10 Device Naming

Device names should not allow for unauthorized system mapping.

• Academic Application Servers shall have names that have no relevance to MnSCU, their function, nor their place in the network architecture.

4.1.11 Server changes

Changes must be controlled to ensure consistency.

• All Academic Application Servers shall be governed by a Configuration Control process.
• Any Academic Application Server change shall require:
  • re-baselining of the host network audit.
  • re-baselining of the host operating system.

4.1.12 Host Integrity

Controls should exist to detect successful or attempted unauthorized changes.

• All Academic Application Servers shall be protected by a file integrity checking mechanism to insure integrity of OS and application files.
• All file sharing Academic Application Servers shall implement and maintain a malicious software protection mechanism approved by the Information Security Manager or designee.

4.2 UNRESTRICTED

4.2.1 Operating Systems

• All Academic Application Server operating systems shall be hardened.
• All hardened operating systems shall be audited, and a baseline established
• All Academic Application Servers shall run the minimal number of services required to meet their business requirements.

4.2.2 Administration

4.2.2.1 Administrative authorization

• Administrative access shall be limited to authorized roles.

4.2.2.2 Administrative accounts

• Authorized administrators shall have unique accounts

4.2.2.3 Administrative passwords

• All passwords shall be encrypted.
• There shall be no administrator default password.
• Passwords shall be unique for each account.
• Passwords shall expire every 30 days
• Passwords shall be a minimum 8 characters in length
• Passwords shall be a mixture of characters and numbers

4.3 RESTRICTED

4.3.1 Operating Systems

• All Academic Application Server operating systems shall be hardened.
• All hardened operating systems shall be audited, and a baseline established
• All servers shall run the minimal number of services required to meet their business requirements.

4.3.2 Administration

4.3.2.1 Administrative authorization

• Administrative access shall be limited to authorized roles.

4.3.2.2 Administrative accounts

• Authorized administrators shall have unique accounts

4.3.2.3 Administrative passwords

• All passwords shall be encrypted.
• There shall be no administrator default password.
• Passwords shall be unique for each account.
• Passwords shall expire every 30 days
• Passwords shall be a minimum 8 characters in length
• Passwords shall be a mixture of characters and numbers

4.4 PROTECTED

4.4.1 Operating Systems

• All Academic Application Server operating systems shall be hardened.
• All hardened operating systems shall be audited, and a baseline established
• All servers shall run the minimal number of services required to meet their business requirements.

4.4.2 Administration

4.4.2.1 Administrative authorization

• Administrative access shall be limited to authorized roles.

4.4.2.2 Administrative accounts

• Authorized administrators shall have unique accounts

4.4.2.3 Administrative passwords

• All passwords shall be encrypted.
• There shall be no administrator default password.
• Passwords shall be unique for each account.
• Passwords shall expire every 30 days
• Passwords shall be a minimum 8 characters in length
• Passwords shall be a mixture of characters and numbers

5.0 Network Application Servers

Network Application Servers are the computing platforms that provide infrastructure Network Services by hosting and running Network Applications.

5.1 General

5.1.1 Procurement

Uncontrolled procurement may introduce unknown risk.

5.1.1.1 Systems

• All Network Application Server hardware and software shall be approved by the Information Security Manager or designee.

5.1.1.2 Software

• All software shall be in compliance with licensing requirements.

5.1.2 Tracking

Stewardship responsibilities require assets to be accountable.

• All Network Application Servers shall be registered with the asset management system before introduction into ANY security zone.
• Removal of any registered asset shall require approval of the Information Security Manager or designee.

5.1.3 Physical and Environmental considerations

Stewardship responsibilities require locations to be adequate.

• All Network Application Servers shall be installed in compliance with all relevant physical and environmental codes and standards.

5.1.4 System Time

Accurate system time is required for proper event reconstruction and forensics.

• All Network Application Servers shall synchronize internal system clocks via facility time servers.

5.1.5 Maintenance Ports

Unattended maintenance ports may allow unauthorized escalation of privileges.

• No unattended maintenance ports shall be allowed on any Network Application Servers.
• All Network Application Server maintenance ports shall have password protected screen savers or logout with a timeout of not more than 5 minutes.

5.1.6 Default username/passwords and accounts

Default username/passwords and accounts may allow unauthorized access to computing platforms.

• All default username/password combinations shall be changed on all Network Application Servers
• All default accounts shall be justified or deleted on all Network Application Servers.

5.1.7 User accounts

Active user accounts should be based upon documented business requirements.

• All unnecessary user accounts shall be disabled on all Network Application Servers.
• User accounts shall not be shared.

5.1.8 Log-on warnings

Log-on warnings inform users of rights, obligations, and recourse.

• A log-on banner informing users as to authorizations, and recourse shall be presented on each log-on attempt.

5.1.9 Logging

Logging is crucial to accurate event reconstruction.

• All Network Application Servers shall enable logging.
• All Network Application Server administrative log-ons shall be logged
• All logging shall be time stamped with NTP synchronized time base
• All Network Application Servers shall log to a discreet logfile on an authorized log repository.

5.1.10 Device Naming

Device names should not allow for unauthorized system mapping.

• Network Application Servers shall have names that have no relevance to MnSCU, their function, nor their place in the network architecture.

5.1.11 Network changes

• Changes must be controlled to ensure consistency.
• All network server changes shall be governed by a Configuration Control process
• Any Network Application Server change shall require:
  • re-baselining of the network audit.
  • re-baselining of the host operating system

5.1.12 Host Integrity

Controls should exist to detect successful or attempted unauthorized changes.

• All Network Application Servers shall be protected by a file integrity checking mechanism to insure integrity of OS and application files.
• All file sharing Network Application Servers shall implement and maintain a malicious software protection mechanism approved by the Information Security Manager or designee.

5.2 Operating Systems

• All Network Application Server operating systems shall be hardened.
• All hardened operating systems shall be audited, and a baseline established
• All Network Application Servers will run the minimal number of services required to meet their business requirements.
• All software shall be in compliance with licensing requirements.

5.3 Administration

5.3.1 Administrative authorization

• Administrative access shall be limited to authorized roles.

5.3.2 Administrative accounts

• Authorized administrators shall have unique accounts

5.3.3 Administrative passwords

• All passwords shall be encrypted.
• There shall be no administrator default password.
• Passwords shall be unique for each account.
• Passwords shall expire every 30 days
• Passwords shall be a minimum 8 characters in length
• Passwords shall be a mixture of characters and numbers

6.0 Client Computers

Client computer configuration shall be determined by business requirements based on user role and security zone requirements.

6.1 General

6.1.1 Procurement

Uncontrolled procurement may introduce unknown risk.

6.1.1.1 Systems

• All Client Computer hardware and software shall be approved by the Information Security Manager or designee.

6.1.1.2 Software

• All software shall be in compliance with licensing requirements.
• All Client Computers shall have active anti-virus protection

6.1.2 Tracking

Stewardship responsibilities require assets to be accountable.

• All Client Computers shall be registered with the asset management system before introduction into ANY security zone.
• Removal of any registered asset shall require approval of the Information Security Manager or designee.

6.1.3 Integrity

Client computers must be protected against both identity theft and unauthorized change.

• All client computers shall enable a password protected screensaver approved by the Information Security Manager or designee.
• Screensavers shall have no longer than a 5 minute timeout.

6.2 UNRESTRICTED

6.2.1 Operating Systems

6.2.1.1 Local User Passwords

• Administrators shall assign user accounts a password that allows one-time log-in and requires immediate change.
• Passwords shall be a minimum of 8 characters in length
• Passwords shall contain a mixture of characters and numbers.
• Users shall be allowed to change their own passwords with system utilities
• Passwords shall expire after no longer than 180 days.
• Five grace log-ins shall be allowed after expiration of a user password or 14 days notice prior to password expiration shall be given.

6.2.2 Administration

• Only authorized roles shall have administrative access to Client Computers

6.3 RESTRICTED

6.3.1 Operating Systems

6.3.1.1 Local User Passwords

• Administrators shall assign user accounts a password that allows one-time log-in and requires immediate change.
• Passwords shall be a minimum of 8 characters in length
• Passwords shall contain a mixture of characters and numbers.
• Users shall be allowed to change their own passwords with system utilities
• Passwords shall expire after no longer than 180 days.
• Five grace log-ins shall be allowed after expiration of a user password or 14 days notice prior to password expiration shall be given.

6.3.2 Administration

• Only authorized roles shall have administrative access to Client Computers

6.4 PROTECTED

6.4.1 Operating Systems

6.4.1.1 Local User Passwords

• Administrators shall assign user accounts a password that allows one-time log-in and requires immediate change.
• Passwords shall be a minimum of 8 characters in length
• Passwords shall contain a mixture of characters and numbers.
• Users shall be allowed to change their own passwords with system utilities
• Passwords shall expire after no longer than 180 days.
• Five grace log-ins shall be allowed after expiration of a user password or 14 days notice prior to password expiration shall be given.

6.4.2 Administration

• Only authorized roles shall have administrative access to Client Computers

7.0 Public Workstations

Public workstations present special security hazards because of access control and accountability

7.1 General

7.1.1 Procurement

Uncontrolled procurement may introduce unknown risk.

7.1.1.1 Systems

• All Public Workstation hardware and software shall be approved by the Information Security Manager or designee.

7.1.1.2 Software

• All Public Workstation software shall be in compliance with licensing requirements.

7.1.2 Tracking

Stewardship responsibilities require assets to be accountable.

• All Public Workstations shall be registered with the asset management system before introduction into ANY MnSCU environment.
• Removal of any registered asset shall require approval of the Information Security Manager or designee

7.1.3 Log-on banner

Log-on banners inform users of rights, obligations, and recourse.

• A log-on banner informing users as to authorizations, recourse, and privacy shall be presented on each log-on attempt.

7.2 Public Workstation Platforms

Because of security considerations, public workstation functionality must be limited.

• Public workstations shall have NO user accessible mass storage capability.
• Operating systems shall ONLY permit the functionality required in performance of the Public Workstations mission.

7.3 Public Workstation Accounts

7.3.1 Authenticated accounts

• Public Workstations with access controls sufficient to validate and correlate identified user to time of use shall be treated as Client computers.
• Personally identifiable user information shall be handled in accordance with applicable federal and state privacy laws.

7.3.2 Anonymous accounts

• Public Workstations that allow anonymous usage are inherently insecure and an identified security risk.
• Public workstations hosting anonymous accounts shall not be allowed within any logical high security perimeter.
• Locations hosting Public Workstations with anonymous accounts shall segregate anonymous network access from other MnSCU traffic.
• Current standards require a password with a minimum length of 6 characters and a maximum length of 8 characters. A minimum length of 8 characters would increase the difficulty of a brute force attack.
• A password segment in the Security Awareness curriculum should demonstrate the need for password security. The sophistication and reality of brute force attacks could be emphasized to make the point.