Desktop computers contain a variety of sensitive and personal information. Several steps should be taken to secure this information. This policy outlines those steps.
This policy is designed to provide the framework for securing Clarkson University owned desktop computers.
This policy impacts any individual who has a device attached to Clarkson’s computer network and who deals with University owned computer data.
Whenever a new desktop computer is setup, the following guidelines shall be followed.
- Firewalls - All desktop systems shall be protected by a software firewall to prevent access to services which should not be available to the general public.
- Patch Management - Additionally, all desktop systems shall be protected by being kept up-to-date with the latest patches that are available for the software installed on them. This prevents an attacker from exploiting a known vulnerability.
- Anti-Virus Software - All desktop systems shall run the University provided anti-virus software. This anti-virus software shall be kept up-to-date with the latest virus definitions (which it should receive from the University’s managed anti-virus server). It is recommended that end users check their virus definitions at least once a week to ensure that their definitions file is no more than seven days old. Additionally, when an OIT technician is servicing a system, the technician will ensure that the antivirus software is upgraded to the most-current supported version.
- Account Management - To prevent unauthorized remote access, all desktop systems shall utilize strong passwords. These passwords should follow the established best practices for passwords as set forth in the Password Policy. All Windows desktop computers must also have password hashing set to use NTLMv2 hashes to ensure the security of hashed passwords.
- System Rebuild - Any system that is found to be infected must be rebuilt. The use of removal tools to remediate such a problem is unacceptable except in cases where a policy exception is granted by the Director of Network Services. Any system requiring a rebuild under these circumstances must be scanned for Personally Identifiable Information (PII) using an approved tool before any further work is performed on the system. Additionally, notification of the discovery of any such systems must be made to the Security Engineer and the Director of Network Services immediately upon discovery.
- Additional Measures - Additional security measures may be required. All written and approved recommendations presented by the Desktop Security Team and/or the Security Engineer must be followed.