Policies: ECE
Computers Stay On
Dual Boot
REWRITE for GENERAL USE -- add in info about
Security
Remote Access Servers
VCL/GRENDELs
On the NCSU network, an unpatched Windows workstation is hacked within 30 seconds. Often, less time is required. Keeping the OSes patched is our number one way to prevent one machine from attacking the rest.
Dual booted machines are the blight of security within this environment.
With the OS switching back and forth, neither OS (we're patching Linux across the network as well) is kept up to date. And we can't know how long a machine has stayed on one OS versus the other.
Therefore, the goal has been to discourage, and eventually remove the use of dual booted systems *wherever possible*.
What I need to know is the reasons/needs for the dual boot. I'll give you one: OPNET currently requires Windows -- assuming your primary use of the machine is as a Linux box, then this would be a good reason to have both the OSes. Granted, once OPNET *is* available on Linux, this would no longer be a legitimate reason.
While you know our goal is to move to a non-dual boot environment, *I* need to know the obstacles that *you* see to this. What applications prevent your use of a single OS? Having this information helps to better define this policy.
We wouldn't want to have Windows on a box simply because a student likes to use Outlook to check his mail, or because they prefer Office over StarOffice.
I would ask that you work with us on this. We have no research support funding. Trust me, if we could, we would -- so we have a limited staff to respond to issues that arise. We do so because I recognize the needs of the department, and because I'd like to avoid the "wild west" of computing that ECE was four years ago. Our goals are to meet your legitimate needs, but we must weigh that against the cost of support and to the rest of the network.
- We will dual boot this machine*.
You are correct that a 600Mhz machine will not meet your needs. Outside of the Networking group, one of the major reasons we have dual boot requests is because a student wants to "play" with the buzz work "Linux". A secondary machine on which to do this often does meet their needs, and is therefore a standard response to such requests. I will have our people adjust this response to elicit legitimate reasons for the request and possible exceptions, as in this case, to the policy.
We *WILL* be erecting the firewalls on both the Linux and Windows OSes.
This should help, partially, to protect the machines while updates are installed. Unfortunately, not all issues are due to outside attacks, but it's something. This should not affect the use of the machine, but if it does, let us know, and we'll see what specific exceptions to this firewall can be made.
While the machine is being built, please send me the reasons a dual boot is important to you in this case. If we can determine what the problems are with a single OS, we can attempt to resolve them, or at least keep them in mind.
File Sharing Applications
The Digital Millennium Copyright Act amends federal copyright laws, providing liability protections to providers of online services when their networks contain material infringing upon copyrights.
NEED CONTENT
Three Year Warranty
Personal Computers
Personal Computers getting Permanent IPs
Here's the immediate issue. IPs are controlled by individual departments or colleges. *THESE UNITS* are responsible for the network and require that all IPs be assigned BY THESE groups. So having a "central" entity, aka ITD/ComTech, do this would NOT be good. On many levels. I can go into detail later if you like, but save us all time, and make sure that you're working with individual colleges, not central IT, when requesting IPs.
One example -- I will remove ANY IP in ECE IP ranges that are not in our records. This is something you'd want to avoid.
This is NOT a centralized problem, or one in which a centralized solution is likely to work. Should the committee like some contacts within each department/college, I can provide this.
Having said that, some departments and colleges already *do* register personal machines. ECE is one of those.
The current version of our online request form is here: https://www.wolftech.ncsu.edu/requests/register/
You can get an idea of the information we require on our form there.
Sample of the rules we follow:
1. The registered name of the machine is USERID.ece.ncsu.edu. Students do not have the option to change this. FT Faculty can, if strongly desired. This naming convention allows identification of the owner quite easily, as well as distinguishing it as a personal machine on sight. We do, of course, maintain a comprehensive database of all of our IPs/computers, but this helps as well. Also removes some maintenance/labor costs in setting up the IP access.
2. One registered machine per student. We will occasionally make exceptions for special cases (in which case, the name of the machine is USERID2). This is a very rare event.
3a. Symantec AntiVirus is required, but this is a general NCSU IT rule already in place. NCSU users are directed to http://www.ncsu.edu/antivirus/. Additional network usage policies are set by NCSU, the colleges, and departments. For example, you are not allowed to run servers from these machines. Should the computer show up (*blip*) on our network monitors, we will come ask what the user is up to.
3b. OS Updates: All personal machines operating on the ECE network must be configured to automatically install Windows patches from our WSUS server. For more information and instructions on how to configured your computer to use WSUS, see WSUS.
4. You must have an NCSU UnityID to have a permanently registered IP. All faculty, staff, students, postdocs, and, usually, visiting scholars (see NoPay notes below), have a UnityID.
5. All personally owned machines are removed from the network once the userid of the owner has been disabled by the University. We have scripts that report these machines to us on a weekly basis. If we know someone has left, we'll remove it ahead of this time.