Workstation Security

The IU School of Informatics, Computing, and Engineering has a diverse collection of research, teaching, administrative, and center-based workstations to support our vast research and administrative efforts. The school is committed to following all IU computing policies and industry best practices for workstation management, including:

• Guidelines in the IT-12 Security of Information Technology Resources and IT-28 Cyber Risk Mitigation Responsibilities will be followed on all systems
• An assessment of the nature of the data being stored on workstations will be made and appropriate actions taken to secure all Institutional Data (Critical/Restricted/University-Internal) per IU regulations.
• All Windows and Mac OS workstations will run anti-virus software
• Workstations needing access to Institutional Data (Critical/Restricted/University-Internal) will use secure servers housed at the Data Center (preferably as II VMs). Workstations will use folder redirection policies to enable storage of Institutional Data (Critical/Restricted/University-Internal) on file servers located in the Data Center. Local storage of Institutional Data (Critical/Restricted/University-Internal) will not be allowed without a demonstrated need, approval of the Chief Information Privacy and Security Officer and the use of local data encryption.
• All systems will run host-based firewalls (eg. Windows Firewall, Linux iptables, etc) with as limited a scope (port and source IP addresses) as practicable to accomplish the required task.
• Systems that allow logins from non-IU IP space will deny all access from hosts that repeatedly attempt and fail to log in when practicable.
• Accounts and access will be limited based on required need, authentication will be against the IU AD Servers using IU passphrases, and accounts will be promptly disabled when people leave IU.
• Workstation users will have no administrative capability on workstations. Exceptions will be granted only per the exceptions listed in the Exceptions to Policy section of this policy.
• A screen lock timeout will be enforced with an inactivity timeout not to exceed 15 minutes
• Supported operating systems will be chosen for their reliability, maintainability, and security.
• Workstations that are too old to run a currently supported OS will be retired and sent to IU surplus.
• Automated techniques (eg. SCCM for Windows, JAMF for Macintosh, and Kickstart for Linux) will be employed to allow for quick and uniform deployment of systems.
• All workstations in public spaces will have a BIOS administrative password and restricted booting order set to prevent users from booting to external devices.
• Operating System patches will be managed and monitored from a single, central location using tools like SCCM (Windows), RHN (Linux), and JAMF (Mac). Security-related software updates are applied as soon as is practicable (following the 24/48/72 hour standard outlined in IT-12).
• Workstations in open labs will never be used to store Institutional Data (Critical/Restricted/University-Internal) and will be secured using physical security mechanisms.
• External vulnerability scanning will be performed, per IT Procedure: Qualys Vulnerability Scans
• Systems will be disposed of in a secure manner, per IT Policy: System and Media Disposal
• Any security breaches will be handled appropriately, per IT Policy: Incident Response
• Professional Luddy IT Staff will be properly trained in both industry best practices and IU policies.

• Users are not authorized for administrative permissions to systems other than through written requests and with justification. Requests will be granted only with approval of the Chief Information Privacy and Security Officer or Director of Information Technology. In such cases, administrative permissions will be granted via a separate administrative account or sudo. The primary login account will never have administrator privileges.
• Given the unique computing requirements of computing research being done within the school, workstations may need to run operating systems and software not supported by the Luddy ITG. Such cases are governed by the IT Policy: Administrator Access and Self-Managed Systems