Information Technology Standard 06.13.0

Desktop Management Standard


Date of Current Revision or Creation:ÌýDecember 1, 2022


The purpose of an Information Technology Standard is to specify requirements for compliance with Â鶹´«Ã½ Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

Purpose

The purpose of this compliance standard is to define the management of desktops on the University network, to enhance the desktop security, to safeguard the network against attack, and to establish a minimum set of standards for the management of University owned desktop computers.

Definitions

°ä²¹³¦³ó±ð»åÌýData is data that has been duplicated from the original and stored elsewhere for future use.

Cached data is useful in lowering access time.

Desktop environmentÌýis the term for the unifying concepts used by graphical user interfaces in operating systems. At Â鶹´«Ã½ Microsoft Windows and Apple MacOS are the prominent operating environments and the University supported applications that reside in those environments.

Mobile codeÌýis software obtained from remote systems, transferred across a network, and downloaded and executed on a local system without explicit installation or execution by the recipient.

±õ°Õ³§Ìýis the acronym for the official name of Information Technology Services.

Portable computersÌýare any small portable mobile personal computer; including laptops, tablet PC's and notebooks.

Virtual desktopsÌýare any Windows operating systems that are not installed on a physical desktop and accessible through the thin client computers or MoVE (Monarch Virtual Environment) at Â鶹´«Ã½

Technical Support ProfessionalsÌý(TSPs) are University employees with daily operational responsibilities for the desktop system support and administration.

±«²õ±ð°ùÌýincludes anyone who accesses and uses the Â鶹´«Ã½ information technology resources.

Standards Statement

System Administration

Technical Support Professionals (TSPs) and departmental system administrators must possess and maintain knowledge of practices and procedures in the range of systems and platforms, which they support. Support providers have a critical responsibility in minimizing risk to the desktop computing environment. System administrators and TSPs should work in cooperation with ITS Security Operations to foster secure practices and to respond to security events.

Documentation

System documentation is highly recommended for all centralized Windows based desktop system images. Systems should be configured and operated using documented procedures in a manner most effective to provide information security. Documentation should be current, maintained in a central location and accessible to staff. The level of documentation should be sufficient to:

  • Provide guidance to reestablish the environment in the event of a disaster.
  • Prevent a dependency on a single key staff member.
  • Provide serial numbers or license keys needed for installation and vendor support.
  • Test procedures to minimize downtime when changes occur.
  • Transmit knowledge to others.

Operational audit logs should be configured and verified immediately on initial system setup. Audit logs are to be maintained on a best effort basis equivalent to 120 days. Wherever possible, controls and activity auditing should be implemented over the use of utility programs that may provide users the ability to override existing system and application controls.

Controlling Access

Access to some operating system commands (such as supervisory reset commands) is restricted to those who are authorized to perform systems administration / management functions. Such restrictions should normally be handled with group membership or a different technical control, such as requiring local administrative rights or using an access mechanism such as RunAs.

Updates

Operational changes (such as service packs, updates, fixes, patches, upgrades to software or operating systems) are to be tested for compatibility and released based on a schedule determined to be the least disruptive and most effective for the environment. Patches and updates are obtained only from reputable sources. Desktops should be maintained at appropriate security levels. Desktops should configured to utilize the centrally managed automatic updates service maintained by ITS or by the vendor. Updates provided on the ITS update service are authorized by the ITS Executive Director, Client Services.

Hardening Operating Systems

Desktop operating systems should be initially hardened before they are deployed and regularly monitored. Hardening standards for theÌýMicrosoft Windows 10Ìý²¹²Ô»åÌýmacOSÌýplatform are established and available to system administrators.

Physical Access

Physical access to desktop systems should be limited. Lock and key mechanisms should be used wherever possible.

Remote Access

Remote access to desktop systems is limited to the device owner and is configured by the Desktop Support Group. Once enabled, users may connect to the device remotely while connected to the Â鶹´«Ã½ VPN Service.

Time-out and Screen Savers

A time-out facility should be configured on all desktops to ensure that the screens are cleared and unauthorized access is prevented after a maximum time of inactivity. The recommended maximum idle time is 45 minutes. Screen savers should be password enabled. The installation of nonmanufacturer supplied screen savers is not recommended.

Log-on and Password Protection

Secure log-on procedures are implemented to ensure that access to operating systems and applications are securely maintained. Passwords may not be stored or transmitted in the clear. The highest feasible form of account/password credentials security shall be configured at the operating system level. Log-on requirements are provided below.

  • Do not display system, previous user, or application identifiers until the log-on process completed.
  • Warn that the computer should only be accessed by authorized users and that usage implies consent to monitoring.
  • Do not provide help messages that leak information during the log-on procedure through a prompt or a customized desktop background image. Validate the log-on information only on completion of all input data against a reliable information source.
  • Do not display the password being entered.
  • Do not transmit passwords in clear text, rather opting for 128 bit or higher encryption using a well established encryption methodology.
  • Users should always screen lock their systems or logoff when they will be away from the computer for an extended period (greater than 10 minutes).
  • Users should logoff or lock their system at the end of the work day

Mobile Code Control

Mobile code can be used to send malicious code by the Internet and safeguards must be implemented. Users are required to have the current University approved antivirus software or endpoint protection installed and enabled. Web browsers should not be configured for a "low" security setting for other than trusted (known) web sites. Web browsers should be configured only to accept code that comes from a reliable source, such as a digitally signed ActiveX control or a signed Java applet.

Cached Data

Cached data is to be deleted regularly to prevent misuse by possible unauthorized users. Users with access to confidential or sensitive data may be required to automatically configure cached data for automatic deletion. Microsoft OneDrive and Google Drive can be configured to make files available "On Demand" so as to minimize the presence of cached data on devices. Files can also be stored on Â鶹´«Ã½ network share drives accessible via the Â鶹´«Ã½ VPN service.

Portable computers

Â鶹´«Ã½ owned portable computers are subject to the same management standards as desktop systems with the additional requirement for disk encryption service enabled by a University approved solution.

Virtual Desktops

The desktop support group makes available virtual desktops via the MoVE (Monarch Virtual Environment) for students and faculty and staff. Thin client computers for Faculty, Staff and Students and are subject to the same standards as desktop systems.

Procedures, Guidelines & Other Related Information

  • Federal and State Law

History

Date

Responsible Party

Action

December 2006

ITAC/CIO

Created

February 2007

ITAC/CIO

Reaffirmed

February 2014

IT Policy Office

Minor rewording for clarity
December 2017 IT Policy Office Minor rewording for clarity
December 2020 IT Policy Office Minor rewording for clarity
December 2022 IT Policy Office Minor rewording for clarity
Ìý