CS Services Security Policy

Definitions

A service is a process that listens on a port; other systems connect to it across the network. Internet access means users connecting from beyond cs.uchicago.edu.

To Manage a system means to have root access on the system, and to be responsible for keeping the system alive and secure.

Principles

• Least privilege
• Isolation of vulnerable services
• CS departmental research/instructional/administrative use gets priority. Requests for other use may be denied.
• Start tight, make exceptions as needs arise. This is for reliability: if, for security reasons, we need to further restrict a service, service behaviour might be affected.
• Mounting of NFS home directories is a liability: if someone takes control of a machine NFS can be used to attack our network. Therefor we do not allow NFS home directory mounts on more vulnerable servers.
• In general, we want to only allow http and ssh access from the Internet (outside cs.uchicago.edu) Exceptions detailed below.

Techstaff managed systems

Services run on behalf of the Department

Only techstaff may have shell access on these servers. Accessible from the Internet only via ssh and/or http(s). Ssh tunneling, NX, or the University VPN may be used to access other protocols from the Internet.

Services run on behalf of individual CS faculty or research groups

May be accessed via the Internet using protocols other than ssh and http if necessary. No access to CS home directories via NFS. May be a NFS server.

Dynamic web pages

Off-the-shelf cgi systems are not permitted. Hand coded cgi is permitted, but user registration is required.

Dynamic web sites for CS faculty or research groups

Off-the-shelf cgi software must run on isolated server.

Non-Techstaff managed systems

Systems managed by people eligible for a CNET account

No NFS home directories

Systems managed by people not eligible for a CNET account

Requires approval of NSIT and CS, and a CS sponsor
No NFS home directories
Firewall required to prohibit access to uchicago.edu
Subject to removal at any time by NSIT or CS

[ About Us | Education | People | Research | Facilities & Computing | Search this site | View Page Source | Contact Us | Site Map | Login ]
©2012 The University of Chicago® The Department of Computer Science
1100 East 58th Street, Chicago, IL 60637 :: ph 773.702.6614 :: fax 773.702.8487