University of California, Riverside

Security



Minimum Standards for Connecting to UCR's Network


Given the ever increasing importance of UCR’s electronic systems, communications, and infrastructure, UCR has developed a suite of Minimum Standards for all devices connecting to the campus' network. These standards will help ensure the campus electronic resources are available, reliable, and secure. Please note that these are minimum standards only, and departments may elect to apply more stringent standards and/or guidelines. For more information about these standards, please contact Russ Harvey, C&C Director of Computing Infrastructure and Security (russ.harvey@ucr.edu).

Contents

Software Patch Updates

Campus networked devices must run software for which security patches are made available in a timely fashion. All currently available security patches must be installed. Exceptions may be made for patches that compromise the usability of critical applications. Visit the vendor's patch and update website to find the latest software version available. Below are some of the more popular websites:

Return to Top

Anti-Virus and Anti-Spyware Software

Anti-virus and anti-spyware software must be running and up-to-date on every level of device, including personal computers, file servers, mail servers, and other types of campus networked devices. The software must be updated regularly to receive the latest virus and spyware definitions. The campus accepts most major vendors' anti-virus products as acceptable for the purposes of meeting the minimum anti-virus standards, however, the campus has site licensed Sophos AntiVirus software for both Windows and Mac computers connected to the campus network.  Included in the Sophos product is the anti-spyware protect. C&C also recommends using an additional anti-malware/spyware package on Windows machines in conjunction with Sophos for increased protection.  Download Anti-Virus Software

Return to Top

Host/PC Firewall Software

Firewall software for desktop and server based networked devices must be running and configured. While the use of departmental firewalls is encouraged, they do not necessarily obviate the need for host-based firewalls. Host-based firewall protection is included in current versions of the major supported operating systems (Windows 10 and Mac OS X). The campuses site license for Sophos AntiVirus software will include Firewall protection in their next major release. This will meet the minimum requirements as well as Windows 10's built in firewall product. Other products are available for PC's local firewall protection such as ZoneLabs ZoneAlarm software.

Return to Top

Passwords

No campus electronic communications user account shall exist without a password. The password must meet minimum length and complexity requirements specified in the Secure and Robust Passwords document. All services requiring authentication should be encrypted. All default passwords for network accessible accounts must be modified. Passwords for administrative privileges must be different than those used for non-admin accounts. More information on Password Management.

NOTE:  No one from any UCR group or department will ever ask for your username and password or other personal information such as social security number via email.

Return to Top

Physical Security

Unauthorized physical access to an unattended device can result in harmful or fraudulent modification of data, fraudulent email use, or any number of other potentially dangerous situations. In light of this, where possible and appropriate, devices must be configured to "lock" and require a user to re-authenticate if left unattended for more than 15 minutes. It is also recommended that devices be located behind locked doors with limited access.

Return to Top

Unnecessary Services

If a service is not necessary for the intended purpose or operation of the device, that service shall not be running. Examples may include DCOM, IIS, Telnet, FTP, SNMP, POP, IMAP and MS Indexing. Use services that provided encryption authentication mechanisms for example install/use SSH instead of Telnet which uses clear text passwords that may be snooped on the network. Unauthenticated email relays are not allowed as they provided unauthorized third parties to relay email messages leading to SPAM.

Return to Top

Proper Configurations

Poorly configured devices can cause more vulnerability in a device than software defects. Each device must be properly configured to eliminate inappropriate file, directory and share permissions and expose the device to unauthorized access, along with using weak or missing passwords. Also, services running with administrative privileges can be at fault for exposing the device to exploits and must be configured properly. An example would be no uncontrolled access to proxy servers.

Return to Top

Minimize Unencrypted Authentication

Unencrypted device authentication mechanisms are only as secure as the network upon which they are used. Traffic across the campus network may be surreptitiously monitored, rendering these authentication mechanisms vulnerable to compromise. Therefore, all campus devices should use only encrypted authentication mechanisms.

In particular, historically insecure services such as Telnet, FTP, SNMP, POP, and IMAP should be replaced by their encrypted equivalents wherever possible.

Return to Top

No Unauthenticated Email Relays

Campus devices must not provide an active SMTP service that allows unauthorized third parties to relay email messages, i.e., to process an e-mail message where neither the sender nor the recipient is a local user.

Return to Top

No Uncontrolled Access to Proxy Services

Although properly configured unauthenticated proxy servers may be used for valid purposes, such services commonly exist only as a result of inappropriate device configuration. Open access proxy servers may enable an attacker to execute malicious programs on the server in the context of an anonymous user account. Therefore, unless a proxy service has been approved by Network Operations as to configuration and appropriate use, it is not allowed on the campus network.

In particular, software program default settings in which proxy servers are automatically enabled must be identified by the system administrator and re-configured to prevent uncontrolled access to proxy services.

Return to Top

More Information 

General Campus Information

University of California, Riverside
900 University Ave.
Riverside, CA 92521
Tel: (951) 827-1012

Department Information

Computing & Communications
Computing & Communications Bldg.

Tel: (951) 827-4741
Fax: (951) 827-4541
E-mail: helpdesk@ucr.edu

Footer