• Services
• Get Help
• Accounts
• Computer Labs
• Software
• Training
• Network
• Hardware Purchases & Repair
• Information Systems Applications
• Information
• Alerts & News
• Security
• Policies & Standards
• Forms
• About Information Technology
• IT Planning
• Staff
• Organizational Chart

Information Security

• Introduction
• Definitions
• General Requirements for all Network Connected Devices
• Procedures for Off-Campus Network Access and Provisioning
• Procedures for Desktop Remote Control Software
• Procedures for Wireless Access Paths

Introduction

With ubiquitous networking in today's computing environment, James Madison University personnel have a myriad of ways to both access and provide information services remotely. Indeed, information today is rarely accessed only on the system where it resides.

Recognizing that such access is a powerful enabling force and educational tool, the university encourages the free flow of information and open communications through the use and provision of such access. However, at the same time, the university recognizes the need to protect its resources and constituents from those who commit computer crimes. Remote computing inherently exposes servers, clients, and data to others on the network thus presenting increased exposure to networked-based attacks. In addition, the compromise of one improperly operated computer can quickly lead to compromises of neighboring computers and accounts and disruption of services. Accordingly certain safeguards relating to networked computers and the provision of remote computing services are necessary to protect the entire JMU community.

These are the minimum requirements for all computing devices on or accessing the JMU network. More stringent practices may be needed for individual applications.

The University provides both online materials and workshops to help computer operators comply with these requirements. See http://www.jmu.edu/computing/runsafe

Definitions

• Server - A computer program or collection of programs making a computer's files, information, or services available to client programs. Examples are web servers, file servers, telnet servers, and Windows remote control servers.
• Client - A computer program or collection of programs making use of a server's files, information, or services. Examples include web browsers, email clients, ftp clients, and telnet clients. It should be noted that the same computer may, and often does, run both client and server programs.
• Computer - Along with the more traditional devices, this term also includes such things as Internet enabled cell-phones, wireless devices, two-way pagers, game consoles, and any other device capable of interfacing to the University information systems or network. Wireless mice and keyboards are considered part of the computer they are supposed to be controlling.
• Remote Access - The use of a client on one computer to access a server on another.
• Remote Provisioning - The act of making available a server to remote clients.
• Access Path - The physical paths over which the remote access takes place. Examples include the Public Switched Telephone Network (i.e. dial-up), ISDN, Wireless, the JMU Campus Intranet (i.e. the Internet inside the JMU physical network), the Internet (i.e. the Internet outside the physical JMU network), satellite, etc
• Access Method - The protocol used between the client and server. The Access Method often consists of layered protocols, the lower layers of which may be determined somewhat by the Access Path. For example, web access over a dial-up line usually implies an underlying PPP protocol.
• On-Campus computer - a computer physically residing on the JMU campus network
  • Campuslink subscribers and those using the JMU provided ISDN connections are considered "On campus" even though their access path is over a Public Switched Telephone Network. This will be true as long as the following conditions are true:
    • The service provisioning equipment, less the client side access device, remains owned and operated by JMU.
    • The service provisioning equipment, less the client side access device, remains on campus.
    • The IP addresses used by the clients have the 134.126 prefix.
  • Apartment complexes fed from the JMU network are considered "On campus".

Vulnerability and threats vary depending upon the particular client, server, access path, and access method. Therefore, procedures and best practices vary somewhat.

General Requirements for All Network Connected Devices

These apply to all clients, servers, access methods, and access paths.

Single-user Computers

• Each single-user computer will have a designated operator responsible for the operation of the computer. That operator will be responsible for the following:
  • Registering the computer and ensuring the registration data is kept up to date.
  • Ensuring University provided anti-virus protection software is installed and operating.
  • Following university procedures concerning computer updates at least once a month.
  • Investigating and correcting vulnerabilities reported to them by JMU IT in a timely manner.
  • Abiding by the university's policy regarding Appropriate Use of Information Technology Resources (AUP; JMU Policy 1207).
  • Selecting strong passwords, as defined by the campus RUNSAFE guidelines, for all server accounts accessed from the computer.
  • Selecting and using client software that provides encrypted communications whenever it is an available and practical choice.
  • Using care in choosing software to run on their computer paying particular attention to email attachments, software from unofficial vendor distribution sites, and software whose author is unknown or untrusted.
  • Computers offering shell accounts giving interactive, programmable control of the computer through programs like telnet, ssh, X-Windows, and PC-Anywhere shall provide an individual account for each remote user.
  • Any server (including personal web servers, Microsoft file shares, and Appleshares) that provide access to confidential, sensitive, or critical data must protect such data with strong passwords as defined in the campus RUNSAFE guidelines. People providing such services are cautioned that incorrectly implementing the service could quickly lead to total compromise of the machine and related data. Best practices should always be followed when installing, configuring, and operating such servers.
  • Reporting computer abuse to abuse@jmu.edu and cooperating with the JMU Computer Incident Response Team in the investigation of such incidents.

Shared Computers and Servers

• Shared computers and computers whose primary function is to act as a server will have an individual designated as responsible for the administration of the computer. The administrator will be responsible for the following:
  • Registering the computer and ensuring the registration data is kept up to date.
  • Ensuring University provided anti-virus protection software is installed and operating.
  • Following university procedures concerning computer updates at least once a month.
  • Investigating and correcting vulnerabilities reported to them by JMU IT in a timely manner.
  • For non-public, university-owned servers, implement any user level authentication and authorization mechanism provided by the server. In other words, at a minimum require userIDs and passwords to access non-public files, information, or services.
  • Abiding by the university's policy regarding Appropriate Use of Information Technology Resources (AUP; JMU Policy 1207).
  • Abiding by the AUP and to ensure that any persons having shell accounts on the server, whether university-owned or not, abide by the AUP
  • Selecting and using client software that provides encrypted communications whenever it is an available and practical choice.
  • Using care in choosing software to run on their computer paying particular attention to email attachments, software from unofficial vendor distribution sites, and software whose author is unknown or untrusted.
  • Reporting computer abuse to abuse@jmu.edu and cooperate with the JMU Computer Incident Response Team in the investigation of such incidents.
  • Computers offering shell accounts giving interactive, programmable control of the computer through programs like telnet, ssh, X-Windows, and PC-Anywhere shall provide an individual account for each remote user.
  • Servers offering the ability for anonymous persons to upload data must be configured so the uploaded data is not available to other clients until it can be verified that:
    • Other clients are not exposed to hostile software such as viruses
    • The data does not consist of illegal materials such as child pornography or unauthorized copyrighted material.

This is to protect the operator of the server, other clients, and the university (if it is a university owned system) from being exposed to hostile software and the liability associated with harboring illegal materials.

In addition, if anonymous persons can overwrite or modify existing files, users of the service must be warned that the integrity of any files they store on the service and any files they download from the service cannot be guaranteed.

Procedures for Off-Campus Network Access and Provisioning

Because of the vulnerabilities in off-campus access paths and the increased accessibility of servers exposed to off-campus access, it is necessary to increase safeguards in this environment. In addition to the measures described in the general section above, the following apply:

JMU-owned, On-campus Servers Accessible from Off Campus

• Administrators and implementers of campus servers that pass authentication information between themselves and their off-campus clients are to use software that encrypts the authentication transaction whenever it is available and practical. Systems that make use of the universal JMU Electronic ID (E-ID) and password are absolutely required to encrypt this information in transit.
• When servers require authentication for access, the administrator will configure the server so that it does not allow more then ten sequential unsuccessful authentication attempts without disabling the account. The account will remain disabled for at least thirty minutes and the administrator should be notified of the action. If the server does not support this precise configuration, all best efforts shall be made to limit unsuccessful login attempts in any available fashion.

Off-campus Clients Accessing On-Campus, JMU-owned Servers

Any compromised computer, including a home computer, may compromise accounts on JMU-owned Servers. To protect those accounts, the following best practices are offered as recommendations. For access to accounts with elevated privileges, the recommendations are mandatory. Access to these accounts from untrusted computers is strongly discouraged.

• Ensure designated protection software is installed and operating. For example, anti-virus2 and/or desktop firewall software.
• Follow university procedures concerning computer updates3 at least once a month.
• Select and use client software that provides encrypted communications whenever it is an available and practical choice.

On-campus Clients Accessing Non-JMU-owned Computers

Note that this includes, but is not limited to, student owned computers and almost every off-campus computer.

• Increased care and discretion should be used when trusting non-JMU-owned computers with sensitive information, passwords, downloaded code, or access to JMU controlled computers through remote connections.
• Universal JMU electronic ID and password information should never be provided to Non-JMU-owned Computers.

Non-JMU-owned Servers

• These servers are not permitted to use the universal JMU Electronic ID and password without specific permission.
• These servers are required to display information informing users that the system is privately owned and not a JMU-provided service.
• The operators of these servers are expressly required to follow all other guidelines for servers given in this document for servers connected to the JMU network.
• The operators are responsible for the behavior of account holders on their servers.

Procedures for Desktop Remote Control Software

While any remote access client/server interaction could be viewed as remote control, there is a set of products and machines that will be addressed separately here because they require special attention. These products allow a client desktop machine to display the screen of a server desktop machine and allow the client to interact with the server by using the client's mouse and keyboard. While this type of control is available through such things as shell accounts and X Windows in other environments, it is rather unique in the Windows/Macintosh environment. Most users of the Windows/Macintosh environment are not accustomed to administering a critical and security-sensitive server; yet that is exactly what remote control software is. To increase the support and guidance available to the users of such programs, some additional requirements and procedures are necessary. In addition to the measures described in the general and off-campus sections above, the following apply:

For any computer on the JMU network:

• The software must be configured to provide separate accounts for each individual accessing the computer. The computer must not be universally accessible by virtue of wide open access or a publicly known password.
• The software must be configured to encrypt its communications.

For any university-owned computer:

• The remote control software package must be on the recommended list and configured according to the RUNSAFE "Remote Control Software Best Practices" guidelines.
• Use of software commonly referred to as "remote control trojan" is expressly prohibited as a remote control tool on university-owned machines because of the unknown, and suspect, nature of both the client and server code.

Procedures for Wireless Access Paths

JMU IT is currently assessing models to provide a wireless infrastructure and associated access to the campus community in a secure, robust, and interoperable fashion. Independent implementations of wireless networks are strongly discouraged without first coordinating efforts with Network Services. This is to assure future interoperability with any campus-wide implementation and prevent security and operational difficulties. There are defects in the security model used by the wireless standard that are addressed by multiple third party products and architectures. However, use of these architectures requires careful planning for interoperability. In addition, unplanned dissemination of wireless access points may cause operational problems due to interference.

In the meantime, the following requirements apply to all wireless networks and clients that access JMU networked computing services including email and authenticated web pages.

• Ensuring University provided anti-virus protection software2 is installed and operating.
• Follow university procedures concerning computer updates at least once a month.
• Abide by the AUP.
• Select and use client software that provides encrypted communications whenever it is an available and practical choice.
• Enable WEP encryption.
• Change default SSID and passwords.