Device Security Standards
Executive Summary
At a minimum, all devices (desktop computers, laptop computers, servers, network devices, workstations, et cetera) that connect with the university network or process or retain university data should be configured to the following standards (a description of additional standards is in the body of this standard):
- Register the device on the network with openipam.usu.edu
- Change the default username and password
- Configure full disk hard drive encryption
- For Windows devices, join the Aggies domain
- For Apple devices, join JAMF
- Install the SentinelOne agent
- For mobile devices, join Eduroam
- Download and install updates and patches for OS and software from a reliable source
- For ongoing maintenance and vulnerability management, define and use a process to identify, download and install updates and patches within the first 30 days of release
Device Security Standards
Utah State University holds a wide range of data and data types and it is the responsibility of university faculty, staff and students to keep that data secure and use it only for its intended purpose. In addition, the university must protect its systems from threats such as viruses, malware and ransomware.
One of the ways that faculty, staff and students can put data at risk is through devices (desktop computers, laptop computers, servers, network devices, workstations, et cetera) that have not been configured or managed with security in mind. To reduce the likelihood of data loss through threats such as viruses, malware and ransomware via unsecured devices, the university has established the following set of device security standards.
These standards are divided into two sections: Foundation Standards (that apply to all devices that connect with the university network or that process or retain university data) and Additional Standards (that apply to all devices that process or retain sensitive data). There is no harm and it is a good practice in applying the Additional standards to all devices.
These device security standards align with Computer Management Policy #551 (USU Code):
|
All computers connected to the USU Network must be configured and managed to reduce or eliminate the risk of loss of control of the computer resource or the stored or transmitted information. Information Technology (IT) is directed to develop Computer Management Procedures according to industry best practices in collaboration with IT advisory committees and user groups. |
Foundation Standards
- Register the device on the network with openipam.usu.edu
- Change default usernames and passwords
- Configure full disk hard drive encryption
- For Windows devices, join the Aggies domain
- For Apple devices, join JAMF
- Install the SentinelOne agent
- For mobile / wireless devices (phones, laptops, tablets, et cetera), join Eduroam
- Download and install updates and patches for operating systems and software from a reliable source
- For ongoing maintenance and vulnerability management, define and use a process to identify, download and install updates and patches within the first 30 days of release
Additional Standards
Computers
- For windows devices, use the NTFS filesystem
- Uninstall “bloatware” and unneeded programs
- Install / configure SCCM / Intune
- Configure least necessary privileges for the computer account owner’s account
- Disable all unnecessary services (e.g. utilize Windows Baseline Security Analyzer)
- Rename local Administrator account
- Disable Administrator account
- Employ a backup solution (e.g. shadow copy, Box Sync, One-Drive synch, et cetera)
- Configure services to use non-default ports
- Employ security-related group policies via Active Directory / Azure AD
Network Devices
- Do not use clear text protocols and configure all devices to use the highest level of encryption available
- Configure all devices to have their time synchronized using internal Network Time Protocol (NTP) servers
- If the devices are to send logs to secured remote syslog servers or services, set such devices to Informational severity
- Change SNMP community strings for read/write access from public/private
- Use different community strings for read-only and read/write access
- Disable unnecessary services such as TCP/UDP small services, Finger, and Telnet; enable only necessary services
- On firewall devices permit services based on a legitimate business need; do not permit access unless authorized
- Configure firewall devices to contain a deny-all statement to drop or reject all unauthorized services
Servers
- Ensure there are clear requirements for services to be provided by any server
- Only enable services and daemons required for the intended services
- Identify and account for all listening TCP/UDP ports
- Lock, disable, or remove any unused vendor default accounts
- House all servers in a physically secure location
- Protect any servers exposed to the internet with a firewall
- Follow any guidelines and standards related to PII or sensitive data (HIPAA, FERPA, PCI, FARS, et cetera)