Skip to Main Content
Information Resources & Communications

Minimum Standards for Connecting Microsoft Windows-based Desktop Computers and Servers to the UCOP Network

Issued: January 26, 2005

The following requirements bring MS Windows-based computers into conformance with UCOP IT security requirements. The requirements apply to all MS Windows computers intending to connect to the UCOP network, including those owned by UCOP as well as other MS Windows computers used for University business purposes.

.

Please contact the Technology Service Desk if you are uncertain how to implement these requirements. These requirements may change; updates will be documented in the UCOP Electronic Information Security Policy, section IV, "Revision History."

.

In addition, Microsoft has extensive security recommendations for its products.

.

Windows-based Desktop Computers

Devices that fit the following criteria are subject to the minimum standards for connecting desktop and laptop computers to the UCOP network. (See the section below, Windows Servers, for additional requirements for servers.)

--a single user device, such as a laptop or desktop computer, that does not perform file serving functions

--a device that operates with software that can be configured or modified from elsewhere on the network

--a device that does not contain any "restricted" data

--a device that does not provide an "essential" service

  1. IR&C may specify which version of the Windows operating system UCOP computers must utilize. Older versions may be vulnerable to attacks which cannot be mitigated. As of Fall 2004, Windows XP Professional with Service Pack 2 is highly recommended.
  2. All security related software updates that are prescribed by IR&C, including but not limited to Windows Critical Updates and Service Packs (all applications with available security updates to known vulnerabilities, such as Microsoft Office), must be applied immediately upon release.
  3. Antivirus software, e.g., Symantec AntiVirus, must be installed and active, and the virus definitions must be kept up-to-date. Antivirus software must either be configured to be managed by the central antivirus server or be configured for immediate virus definition update.
  4. All computers must be configured to require a login upon booting or restart and before exiting "sleep" or screen-saver modes.
  5. The built-in local administrator account name must be renamed (it cannot be "Administrator"), and its password and all other passwords changed to meet or exceed the requirements of UCOP's password policy.
  6. The built-in local administrator account shall not be used as the primary user account. Normal user accounts, e.g., the accounts used to log into the computer for normal operation, shall not be a member of the local host's administrator group.
  7. The Guest account must be disabled.
  8. Generic or anonymous access must be disabled.
  9. All computers must be registered with the Technology Service Desk including their location, the MAC address of the NIC(s), and the names of the primary users. The computer name must follow the standard convention of department ID followed by first initial plus full last name of the primary user up to 8 characters (or a similar format that facilitates the identification of the computer's primary user). If the naming of the computer must deviate from the convention as dictated by the specific business use of the machine, it must be registered with the appropriate IT personnel along with the contact information of the primary user.
  10. Any server-type applications and services running on the computer must be inspected by the appropriate IT personnel for appropriate configuration with respect to security compliance prior to the computer's deployment.
  11. All software must be installed with prior approval of departmental IT personnel. IT personnel reserve the right to remove all unapproved software on UCOP-owned computers.
  12. E-mail, telnet, and/or FTP software shall be configured to use only encrypted transmission for authentication.

Windows Servers

Servers, including any computers performing file serving functions, running the Windows operating system can only be connected to the UCOP network if they meet both the requirements listed above for desktop and laptop computers and the following conditions:

  1. Servers must be registered with IR&C using the UCOP server registration form available from the IR&C Technology Service Desk. IR&C will verify compliance with these requirements.
  2. Any server running critical services or on which sensitive data resides must be in a physically secure location, e.g., in a locked room or facility with restricted authorized access. See B&FB IS-3 for definitions of criticality or sensitivity.
  3. Dell OpenManage (or equivalent) must be installed.
  4. All unnecessary or unused services must be disabled.
  5. Server configuration must be fully documented.
  6. Servers must be configured with NTFS.
  7. All NTFS file permissions must be changed to ensure that only authorized access is allowed for all files. In particular, the Everyone group must be carefully managed to prevent unauthorized access to restricted data.
  8. Any change to a registered server affecting compliance with these requirements must be reported to IR&C prior to implementation.

Please submit your questions, comments, and suggestions at feedback.html