Computer Security Standards
Introduction
This document details the criteria that a computer must meet to be considered highly secured. All LTS servers should meet this standard, and other departments are encouraged to implement it for sensitive applications.
Criteria
- All outstanding vendor security patches are applied. There is a well-defined schedule for reviewing and applying new patches.
- Only software required for the computer's essential operation is installed. Each installed application should be reviewed and uninstalled if unnecessary.
- Only accounts required for the computer's essential operation are active. All other accounts are locked/disabled. Active accounts have passwords that meet the UNet standards, or require cryptographic authentication (SSH key, smartcard, etc.).
- Only services required for the computer's essential operation are running. Each open port should be reviewed and closed if unnecessary.
- A firewall is installed and operational, allowing incoming traffic only on the ports determined in the previous item. In most cases a third-party firewall is not necessary; the Windows XP, Mac OS X and Linux native firewalls are all acceptable.
- Windows computers are running the most recent version of Symantec Antivirus with the most recent virus definitions. SAV is configured to update its virus definitions daily.
- The operating system is still supported by the vendor. As of the time of this writing, Windows earlier than XP and Mac OS earlier than 10.3 are all out of support.
