· Network Device and Workstation Standards

Background

Because improperly functioning network devices and insecure workstations can disrupt the network and expose shared information to tampering or destruction, it is critical that some basic network and workstation security and maintenance guidelines be followed. Most of these are common sense and have other benefits such as better performance and reduced cost.

General Network Device Policy

ALL networked devices must be registered with and supported by Forestry Computing Resources. (FCR)

Networked devices must be maintained with appropriate security patches. Devices which are not or cannot be properly maintained will no longer be supported by FCR and must be removed from the network.

"Server" services require special monitoring, thus, network support must approve private machines acting as servers.

General Workstation Policy

Workstations must be managed in a fashion that provides maximum benefit to the community for the least cost. The following workstation policies are intended to keep support costs at a manageable level while still providing a reasonable security, functionality, and flexibility for the users.

The cost of new workstations, upgrades, and replacement parts are the responsibility of the individual or project.

Purchases related to computers must be reviewed by computer support personnel.

The initial configuration of the workstation will be done by FCR.

The support costs of networked and non-networked machines are the same.

FCR will be given full administrative access to a workstation.

Windows workstations and laptops connected to the network are subject to security and software configurations distributed by scripts and/or group policies.

FCR will not support foreign language versions of operating systems.

Privately owned desktop computers will be supported by FCR according to the posted policy (See the laptop support policy for details on support for privately owned laptops.)

We grant users full administrative rights to their PC workstations, but we require that they use those rights wisely.

While FCR will assist with the installation of unsupported software, the user is responsible for the cost of the software and ultimately getting it to work.

Workstation hard drives are the users responsibility.

Users are responsible for the physical security of their workstations.

Support for University machines taken off-site becomes the user’s responsibility.

It is not feasible to provide support for all types of systems. Although FCR will always be willing to spend an hour diagnosing or resolving a problem on any supported system, continued work will only be done if it is cost effective.

Systems that cannot be adequately maintained will be removed from the network and will no longer be supported. A system meeting the minimum hardware requirement will be supported by Forestry Computing Resources as long as the system remains reliable and maintenance does not make unreasonable demands for support time.

Explanations and Examples

General Network Device Policy

ALL networked devices must be registered with and supported by FCR.

Machine support forms are available at Helpdesk and should be submitted to Helpdesk when completed.

To be able to diagnose network problems, avoid duplicate addresses, etc. it is critical that we know about all the devices on the network. This means registering not only workstations but also any laptops, printers, hubs, or instruments that are connected to the network even occasionally. We also need to know when networked devices are removed from service so we can cancel their registration.

Networked devices must be maintained in a reasonable fashion with appropriate security patches. Devices which are not or cannot be properly maintained will no longer be supported by Forestry Computing Resources and must be removed from the network.

Maintaining the workstation in a reasonable fashion is becoming an increasingly complex task. Not only are there mandatory security patches that must be applied, but also network configurations must be set and updated properly. Scandisk and defrag utilities should be run regularly. Equipment should only be used for its intended purposes and stored/placed in a place with proper ventilation and physical support, not placed where it is subjected to possible physical damage. Devices not properly maintained and no longer supported by FCR will be removed from the network by removal of the network card from the machine, removing the network card address from the network tables, and/or disabling the network drop to which the device was attached.

"Server" services require special monitoring, thus, FCR must approve private machines acting as servers.

Users should use shared servers for mail, web, ftp, etc. Users with special needs should contact FCR to see if there is a way to accommodate them on our carefully monitored servers. If the service is essential and network support can't provide it then we will set up a monitoring arrangement and will permit the use of a private server ... however, this is an extended service and there will be a fee charged to recover the cost of the service.

General Workstation Policy

The cost of new workstations, upgrades, and replacement part are the responsibility of the individual or project.

Purchases related to computers must be reviewed by FCR personnel.

We recognize the diverse needs of our users and will work to help them find systems suited to their needs and budgets. The pre-purchase review often saves money and helps assure that everything required is ordered. Since FCR will be involved in installing and maintaining the systems it also helps avoid ordering systems or components with known support problems.

The initial configuration of the workstation will be done by FCR.

This provides the opportunity to register the system, set up its network configuration, install security and operating system patches, create user accounts, install core software, and often perform a baseline backup of the workstation. FCR can provide a list of the changes made to the user's system.

The support costs of networked and non-networked machines are the same.

Computers not connected to the network pose fewer security risks, however, they are also cut off from network resources and the tools we use to support workstations. Non-networked systems can harbor viruses which can be spread to networked machines via removable media, thus, they still need to run anti-virus software

FCR will be given full administrative access to a workstation.

FCR will be given full administrative access to a workstation. Windows workstations have security concerns and remote access capability. FCR will need to use administrative accounts to access the workstation both in person and remotely in order to install patches, monitor workstation status, perform backups, implement policies, i.e., maintain the workstation. Users will be alerted before alterations are made to the system if possible, but in some cases changes will need to be applied immediately. Access is strictly limited to administrative purposes and every effort will be made to assure privacy of the contents.

Windows workstations connected to the network are subject to security and software configurations distributed by scripts and/or group policies.

We distribute a variety of settings related to security, network configuration and software function via scripts and windows group policy (registry) settings. All windows workstations connected to the College of Forestry network are subject to settings based their role and security requirements. These settings persist when machines are disconnected from the network (this includes laptops).

FCR will not support foreign language versions of operating systems.

It is hard enough to find people with the appropriate skills to solve computer problems without adding a language requirement (or a translator). In addition many software vendors warn of potential problems mixing foreign language software and English patches. Therefore, to meet our security and support requirements it will be necessary to install an English version of the operating system before it can be connected to the network or supported by FCR.

Privately owned desktop computers will be supported by FCR provided that:

The workstation owner obtain permission from their department head (or unit leader if not in a department or partner project leader).
The workstation will be supported on the network for a significant amount of time, at least three months.
All networked machines on the Forestry network incur a support charge (currently $500/machine/year).
The owner agrees that the machine will be configured and maintained according to the Forestry Computing Resources "network device and workstation standards." </helpdesk/policies/standards/general.html>
The computer must meet the minimum hardware standards; Helpdesk personnel must have administrative access to the machine; the machine must be maintained properly to avoid creating problems for other network users; and the owner is responsible for physical workstation security.
Use of the machine, as for all machines connected to the Forestry computing network, must be in accordance with the OSU Acceptable Use Policy.
</helpdesk/policies/accept_use/>

Many privately owned computers are purchased without consultation with FCR and have their operating systems installed by other people. Both of these factors make it much more costly for FCR to troubleshoot and maintain such machines.

We grant users full administrative rights to their workstations.

Our users need maximum flexibility in working with their systems, however, it is essential that they do not create security risks or recurring support problems. Users creating problems may lose administrative rights and/or face charges for the extended services required to correct the problems. Unix users are not granted administrative rights since these systems function as servers.

FCR will assist with the installation of unsupported software, however, the user is responsible for the cost of the software and ultimately getting it to work.

Users who use unsupported operating systems, applications, or system configurations are basically on their own. Some applications, operating systems, and configurations may be considered unacceptable if they appear to pose a security hazard, generate unacceptable network traffic, or make it impossible to provide support in a cost effective fashion.

Workstation hard drives are the users responsibility.

In general local hard drives should only be used for software, scratch space, and local backups.Critical data should always be stored on a server unless special arrangements have been made for local system backups (see backup policies).It is the users responsible to copy any information that they wish to preserve from the local hard drives to the network if upgrades are requested

Users are responsible for the physical security of their workstations.

The University only provides replacement costs for equipment that is stolen from either a locked room or if the equipment has suitable security cables. Therefore if you cannot guarantee that a room will be locked at all times when it is unoccupied, you should purchase security cables. Purchases of cables should be coordinated with FCR so that they can be purchased with locks that won't be an impediment to support.

Support for OSU-owned machines not connected to the network:

Users who wish to pay machine fees to have non-networked, OSU-owned machines supported by FCR can do so as long as machines meet all of FCR's machine requirements.

Users who wish to take OSU-owned machines off the network and choose to remove the system from support can do so. As a non-supported machine, the user will be responsible for payment of hourly consulting fees which will be charged to convert the system to off-network use.

Any time a user requests support for a non-supported machine, FCR will charge the hourly consulting rate to make sure the system can operate off the network. Additionally, the following conditions must be met:

The user must have a valid Forestry account,
The system must meet FCR's current minimum system requirements, and
The user must have documented permission from their department head if the machine is to be taken off-site.

The user will be responsible for any software application license fees that may be required for local installations. It is the responsibility of the user to install any non-supported hardware and/or software applications. If there are problems with the system during the course of its life "off-support", it may be repaired to run FCR supported software at the current FCR consulting fee rate as long as the system meets FCR's current minimum system requirements. It will be the user's responsibility to preserve any personal information before repairs are undertaken. Repair completion time will vary depending on FCR's current workload. Priority for repairs will be given to currently supported machines over non-supported university-owned machines.

Older systems can be used as long as they are meeting needs and do not pose a hazard for others. However, if they develop problems or start to pose a hazard it is often less expensive to upgrade the hardware/software than to try to find patches or updates for older item. Computing Resources will declare a problem as unfixable if the determination is made that the cost of repairs would exceed the value of a system.

Some special projects will require unique systems with support needs well beyond those of a normal workstation. While FCR will assist with these, it may be necessary for the owners of these systems to help make sure they are properly maintained and/or pay for extended service.

Systems that cannot be adequately maintained will be removed from the network and will no longer be supported.

A system meeting the minimum hardware requirement will be supported by FCR as long as the system remains reliable, is maintained with the latest security patches, and maintenance does not make unreasonable demands for support time.