Virus_Response

Virus Response policies:

To: Dean’s, Business Managers, and Tier Ones
From: Office of the Provost
Subject: IMPORTANT - New policies in response to virus attacks on the HSC computing network
Date: 9-10-03

The Health Sciences Center computing network is vital to our mission, and we must take steps to prevent the rash of worms and viruses we’ve seen the past few weeks. The disruption to the faculty, staff and students from these recent attacks has been significant, and the computing industry predicts the attacks will get worse. Further, federal regulations continue to add security requirements for the protection of OUHSC’s critical information assets.

The Deans' Council and I have directed Information Technology to develop policies to enhance the security of the campus' computing infrastructure. It is expected that the Tier 1s in your units will be empowered to carry out these policies. Per the information below, work should begin immediately to comply with these policies, procedures, and standards for any Microsoft Windows based computer. The IT Security Services web site document will detail the issues and reasoning behind these requirements.

Required immediately:

Information Security Services shall have authority to issue and enforce computer security policies, procedures, and standards. For example:
- Require security patches be applied to computers
Departmental Local Area Network administrators shall have the authority to implement and enforce computer security policies, procedures, and standards. For example:
- Install antivirus software
- Apply security patches to computers
- Remove software that presents a security risk
- Rebuild computers that have been compromised
Antivirus policy: All computers connecting to the university network must have an approved, functioning, and up to date antivirus program
Antivirus procedures: Faculty, staff, and students may obtain university provided antivirus programs for campus and home use at: http://www.ouhsc.edu/it/virus_scan/index.asp
Antivirus standard: Antivirus programs must be set to auto update virus definitions daily.
Security patch policy: All computers connecting to the university network must meet a standard level for security patches.
Security patch procedures: All computers connecting to the university network must have an automated procedure for maintaining current patch levels.
Security patch standard: All applicable critical security patches must be installed within 48 hours of patch release by the vendor. Information Security Services will notify LAN administrators concerning a general patch deployment for the campus. LAN administrators are responsible for applying patches and for determining patches required for departmental specific applications.
Network policy: Compromised or virus infected computers must have their network connections disabled to prevent spread of infection or illegal activities.

Required by September 30, 2003:

Introduction:

Active Directory (AD) provides an organized structure for our 7,000+ MS based computers. AD provides authentication to network services as well as application of policies based upon Organizational Units (OU). These Organizational Units, are containers for computers, and have been created to contain departmental computing resources. Tier Ones have been delegated administrative authority to manage these OUs. Group Policies can be applied to computers within OUs that would automate configuration and patch management.

Policies:

All MS Active Directory compatible computers must become members of Active Directory
- This will enable application of security group policies
- No local workgroups allowed
Computer Objects can only be created and joined to Active Directory by IT and Tier Ones.
- This is to ensure that computers joining our domain are doing so by personnel who understand and have agreed to the policies for network computers in our domain (antivirus, patching, etc.)
A computer naming scheme will be used to aid in identification.
Computer Objects must be created and placed into Organizational Units that represent university departments.
- The default Computers container can no longer be used to contain computers in our domain.
- This will help ensure that all computer objects have been identified and are being managed by a Tier One.
The “managed by” field needs to be populated with the person’s name that manages the computer for the department.
The domain administrators group must be a member in the local administrators group.
- This allows domain administrators the ability to use reporting tools and apply domain wide policies.
Active Directory passwords must meet complexity requirements.
All remaining NT domains must be migrated to Active Directory by September 30, 2003
- Joining Active Directory is necessary for security group policies to apply to the domain.
Accessing third party mail providers from the OUHSC campus network will not be allowed. The OUHSC Exchange email system is the supported email platform for campus and provides necessary antivirus capabilities that may not be present on third party email providers.

Required by December 31, 2003

All computers using Microsoft operating systems must be running current supported versions and be compatible with Active Directory

Explanation:
i. Microsoft does not provide security patches for unsupported operating systems and support for products in the extended phase requires additional costs. Unpatched systems are a risk to the entire network and a few compromised systems have caused disruption for the entire campus.
ii. If the vendor no longer provides technical support for the operating system then the University cannot provide technical support for the operating system.
iii. The University provides a site license under the MS Campus Agreement to upgrade unsupported operating systems to supported versions.
iv. Older operating systems are not compatible with Active Directory (AD). The security level of AD must be lowered just to allow Windows 9X computer to logon. This reduces the value of higher security built into Active Directory.
v. Active Directory security group policies are not compatible with 95, 98, ME, or NT.
vi. HIPAA will require unique user identification (Logon to the desktop operating system) which is a feature not supported on Win 95 or 98.

Unsupported or non AD compatible operating systems:

MS Windows 95
- Mainstream Support ended December 31, 2000
- Entered non supported phase on December 31, 2001
MS Windows 98
- Mainstream support ended June 30, 2002
- Entering non supported phase on January 16, 20046
Windows NT Workstation 4
- Mainstream Support ended June 30, 2002
- Entered non supported phase on June 30, 2003
ME
- Mainstream Support will end December 31, 2003.
- Entering non supported phase on December 31, 2004
- Consumer operating system was not designed for business use
See MS Product Lifecycle Information
for more information on MS Windows desktop product lifecycles.

Some computer applications must be upgraded to vendor supported versions in order to maintain network security. These applications will be identified in another document. An example is MS SQL and Internet Explorer.

Secondly, IT will be setting up a working task force to look at solutions to enable the campus to better prepare for these risks in the future. This task force will be made up of IT personnel and appointed representatives from college and departmental technical personnel. This task force will be addressing the following issues

Workstation policies
Server policies
Network policies
- Wireless access points
Automated tools for patch management
Centralized anti-virus
Reporting and accountability.
Incident response.

This will be an evolving list of issues. Please refer back to this website for changes to this living document.

Document Last Revised 9/10/03