UCSD Home
Mathematics Home
Programs Research People Announcements About Resources
prospective_student
current_student
faculty_staff
visitors
alumni
MCS Policies and Guidelines


MCS Network Security Policy

The MCS Network Security Policy is based off the campus-level network security policies:

Prior to connection to the department production network, all computers (whether department-managed or personally-owned) must contact mathhelp staff first to verify the computer meets the campus minimum network security standards.

Mathhelp staff will then register your computer's physical Ethernet hardware MAC address with the department's DHCP server in order to allow you to connect to the department production network.

MCS Network Security Policy Implementation Guidelines

The key points of the policy can be quickly implemented by:

  1. Turning off all unnecessary external network services.
  2. Turning on the host-based software firewall.
  3. Installing the latest OS software updates (patches).
  4. Installing antivirus software and verifying that the latest virus signatures are loaded and active.

OS-SPECIFIC IMPLEMENTATION PROCEDURES:

Mac OS X (MINIMUM)

  1. Go to "Apple menu" -> "System Preferences..." -> "Sharing".
  2. In the "Services" tab, verify that all unnecessary services listed are checked OFF (in most cases, "Apple Remote Desktop" is the only useful service that can be left on for department-managed computers).
  3. In the "Firewall" tab, verify that all unnecessary service ports are checked OFF (don't forget to turn OFF "Network Time" at the bottom of this list). Then verify that the firewall status is currently at "Firewall On" (if not, click the "Start" button).
  4. In the "Internet" tab, verify that all network sharing ports are checked OFF and that the Internet sharing status is at "Internet Sharing Off" (if not, click the "Stop" button).
  5. Go to "Apple menu" -> Software Update..." and install all available recommended OS software updates (in particular, updates that are security-specific, OS-related, or network service-related should be installed first).
  6. Update any installed antivirus software with the latest virus signatures. For department-managed computers, use the latest Symantec AntiVirus for Mac OS. For personally-owned computers, use the campus Sophos AntiVirus or ClamXav.

Mac OS X (ADDITIONAL)

  1. Go to "Apple menu" -> "System Preferences..." -> "Sharing" -> "Firewall tab" -> "Advanced..." button.
    • Block UDP Traffic = ON
    • Enable Firewall Logging = ON
    • Enable Stealth Mode = ON
  2. Go to "Apple menu" -> "System Preferences..." -> "Security".
    • Require password to wake this computer from sleep or screen saver = ON
    • Disable automatic login = ON
    • Require password to unlock each secure system preference = ON
    • Use secure virtual memory = ON
    • Disable remote control infrared receiver = ON
  3. Go to "Apple menu" -> "System Preferences..." -> "Accounts".
  4. Verify that only co-administrator accounts (e.g. "mcsadmin") have "Allow user to administer this computer" checked ON. User-administered home or laptop computers should have 2 separate accounts (a regular user account (e.g. "nhartley") and a co-administrator account (e.g. "nhartleyadmin"). All accounts should have a password set.
  5. Click on the "Login Options" icon and set the following:
    • Automatically login as = OFF
    • Display login window as = Name and password
    • Show password hints = OFF
    • Enable fast user switching = OFF
  6. Go to "Apple menu" -> "System Preferences..." -> "Desktop & Screen Saver" -> "Screen Saver" tab.
  7. Set the "Start screen saver:" slider to 20 minutes.
  8. Go to "Apple menu" -> "System Preferences..." -> "Bluetooth" -> "Settings" tab.
  9. If not using any Bluetooth devices, click the "Turn Bluetooth Off" button so that "Bluetooth Power:" = Off and check that "Discoverable" is OFF.
  10. In the "Sharing" tab, check that all Bluetooth sharing services have "Require pairing for security" enabled.

Windows XP (MINIMUM)

  1. Go to "Start menu" -> "Control Panel" -> "Security Center" -> "Windows Firewall".
  2. In the "General" tab, verify that the firewall is checked ON.
  3. In the "Exceptions" tab, verify that all programs and services are checked OFF.
  4. Go to "Start menu" -> "All Programs" -> "Windows Update" and install all available recommended OS software updates (e.g. in particular, all of the "High Priority" or "Critical" updates that are security-specific, OS-related, or network service-related should be installed first).
  5. Update any installed antivirus software with the latest virus signatures. For department-managed computers, use the latest Symantec AntiVirus Corporate Edition. For personally-owned computers, use the campus Sophos AntiVirus, ClamAV for Windows, or AVG Anti-Virus Free Edition.

Windows XP (ADDITIONAL)

  1. Go to "Start menu" -> "Control Panel" -> "User Accounts".
  2. Click on "Change the way users log or off".
    • Use the Welcome Screen = OFF
    • Use Fast User Switching = OFF
  3. Verify that only co-administrator accounts (e.g. "mcsadmin") are of type "Administrator" and regular user accounts are of type "Limited". User-administered home or laptop computers should have 2 separate accounts (a regular user account (e.g. "nhartley") and a co-administrator account (e.g. "nhartleyadmin"). All accounts should have a password set.
  4. Right-click on the background desktop -> "Properties".
  5. In this "Display Properties" window, go to the "Screen Saver" tab.
    • Wait minutes = 20
    • On resume, password protect = ON
  6. Go to "Start menu" -> "Control Panel" -> "Security Center" -> "Windows Firewall".
  7. In the "Advanced" tab -> "Settings..." button -> Check ON "Log dropped packets".

Linux/UNIX

  1. Due to the significant differences in software, commands, and configuration among the various distributions and versions of Linux/UNIX, each case must be individually handled.
  2. Turn off all unnecessary network services (daemons listening on non-localhost network addresses). These can usually be checked and configured using a combination of "netstat -an", "lsof", "fuser", "nmap", "chkconfig --list", "system-config-services", and editing /etc/rc.#-type startup files. In most cases, "sshd" is the only useful network service that can be left on (as long as all user accounts have strong passwords).
  3. Turning on and configuring the firewall can usually be done by running "iptables", "ipchains", or "system-config-securitylevel", etc.
  4. Installing software updates (patches) can usually be done by running "up2date", "yum", "dselect", etc.
  5. For antivirus software, use ClamAV or the campus Sophos AntiVirus.


 
Send questions, comments, and suggestions about this website to: webmaster@math.ucsd.edu.
Copyright ©2004 Regents of the University of California. All rights reserved.