Best Practices: Workstations
The purpose of this document is to provide guidelines for best security practices when installing new workstations (or reconfiguring old workstations) on the UT Dallas campus network. This document is "OS-agnostic". In other words, the specifics of HOW to implement these practices on a particular Operating System (OS) are left to the technicians responsible for those workstations and operating systems. The appendix provides links to off-site documentation which can provide many of the implementation details needed to accomplish the tasks described within this document.
It is not the purpose of this document to provide the information necessary to correctly administer a workstation. It is assumed that the technicians responsible for implementing these practices are knowledgeable of the operating system they have chosen, the hardware on which it runs and any applications that they intend to install on it. The technician is expected to already have that expertise or to obtain it before administering workstations on the UT Dallas network.
The first thing that must be understood about security is that it is not a destination at which you arrive. It is an ongoing, repeatable process that requires attention and expertise. The most highly secured workstation in the world can become insecure in a matter of weeks if attention to details is not a part of the daily practice of its administrator.
No workstation should be connected to the UT Dallas network until the following items have been accomplished:
- The OS has been selected and all security patches for that OS have been acquired (either copied to Compact Disk (CD) or available through a local connection that does not require an Internet Protocol (IP) address - Universal Serial Bus (USB) hard drive, zip drive, etc.).
- All documentation should be in place (licenses, vendor-supplied documents, etc.) and you should consider securing it in a plastic, lockable bag attached to the workstation.
- The OS has been properly installed and configured and all relevant security patches for both the OS and any applications have been applied.
- All "network application" services not essential to the prime function of the server have been disabled - Hypertext Transfer Protocol (HTTP), telnet, File Transfer Protocol (FTP), Simple Main Transfer Protocol (SMTP), Domain Name Server (DNS), etc. No services should be enabled on a workstation unless they are absolutely necessary for maintenance. Workstations should never host web, FTP, SMTP, DNS, or telnet services.
- A viable plan has been designed to maintain the workstation properly, including consistent regular patching of the OS and all applications.
- All passwords must include numbers and special characters and must not be accessible to anyone but the password's owner.
- Workstations should never be used as servers.
- "Owners" should not use an account that has administrative access to the workstation for routine work. A separate account should be used for administrative access (such as "root" or "Administrator") and the owner should use utilities such as "su", "sudo" or "runas" or login as the administrator when administrative access is required and logout when the work is completed.
Connecting to the Network
- No workstation should be connected to the UT Dallas network without the knowledge and consent of qualified technical personnel.
- No workstation should be connected to the UT Dallas network unless it has virus protection in place and it has been properly configured and updated.
- Every workstation should use a dynamically assigned private or dynamic IP address. If the workstation requires a stable IP address for some reason, the technician should consult with UT Dallas Information Resources to establish the requirements.
- Before enabling any services, consult with UT Dallas Information Resources regarding the proper configuration of the workstation within the appropriate domain (UNIX or Windows).
- Only those services necessary to accomplish the task assigned to a workstation should be enabled. In practice this will mean disabling many services which are enabled by default. The specifics of any particular workstation are left to the technician to determine.
- No workstations are allowed to run Domain Name Server (DNS), Dynamic Host Configuration Protocol (DHCP), Network Information System (NIS+) or a Windows Domain Controller under any circumstances.
- Those services that are enabled should have been patched fully and secured properly before being enabled. Consult the vendor's documentation for proper security procedures for the application in question.
- If the OS provides a stateful firewall (such as ipchains, iptables, ipfw, ipsec, etc.), it should be enabled and only outgoing traffic should be allowed. If the OS does not provide a stateful firewall, consider purchasing one.
- Services which should be restricted, such as Secure Shell (SSH), should also have tcpwrappers or a similar program enabled to limit access to authorized personnel only.
- ALL default passwords must be changed immediately. The technician should be thoroughly familiar with the OS and all applications and what the password parameters are of each of them. Consult vendor documentation for the details.
- Passwords should not be written down anywhere. Consider keeping a Pretty Good Protection (PGP) encrypted list of all passwords on a separate, secure machine.
- Access to administrator passwords should be limited to the smallest number of people necessary to properly maintain the workstation and allow access to it in case of emergencies.
- All workstations should have access logging enabled.
- Logs should be checked regularly (at least weekly) for unusual access attempts.
- Remote logging (sometimes called syslogging) should be enabled. Consult with Information Resources for the correct hostnames and input parameters.
- Consider obtaining log "sentry" software which notifies the admin of unusual events by email.
Remote Access to Workstations
- If it is determined to be necessary, remote access to workstations should be highly restricted, by both username and IP address.
- The use of encryption for remote access is not optional. SSH and Virtual Private Network (VPN) should be used in all cases.
- Remote host access should be limited by single IP or by the smallest IP range possible.
- Special attention must be given to remotely accessible machines. Host-based intrusion detection should be installed, logging should be increased, accounts on the workstation should be limited to responsible administrators only and the workstation should be syslogged.
Below are links to suggested reading:
OS Best Practices
- Automated Security Self-Assessment Tool
- CERT Guidelines for Unix Configuration
- Mac OS X Server Administration Guide
- Microsoft Security Tools
- NIPC - Password Protection 101
- NIPC - Seven Simple Computer Security Tips
- SANS - Top 20 Vulnerabilities
- SANS - Information Security Knowledgebase
- Solaris 10 System Administration Collection
- RedHat Security Guide
Federal, State and University of Texas System Guidelines