CS Services Security Policy
Definitions
A service is a process that listens on a port; other systems connect to it across the network. Internet access means users connecting from beyond cs.uchicago.edu.
To Manage a system means to have root access on the system, and to be responsible for keeping the system alive and secure.
Principles
- Least privilege
- Isolation of vulnerable services
- CS departmental research/instructional/administrative use gets priority. Requests for other use may be denied.
- Start tight, make exceptions as needs arise. This is for reliability: if, for security reasons, we need to further restrict a service, service behaviour might be affected.
- Mounting of NFS home directories is a liability: if someone takes control of a machine NFS can be used to attack our network. Therefor we do not allow NFS home directory mounts on more vulnerable servers.
- In general, we want to only allow http and ssh access from the Internet (outside cs.uchicago.edu) Exceptions detailed below.
Techstaff managed systems
- Services run on behalf of the Department
- Only techstaff may have shell access on these servers. Accessible from the Internet only via ssh and/or http(s). Ssh tunneling, NX, or the University VPN may be used to access other protocols from the Internet.
- Services run on behalf of individual CS faculty or research groups
- May be accessed via the Internet using protocols other than ssh and http if necessary. No access to CS home directories via NFS. May be a NFS server.
- Dynamic web pages
- Off-the-shelf cgi systems are not permitted. Hand coded cgi is permitted, but user registration is required.
- Dynamic web sites for CS faculty or research groups
- Off-the-shelf cgi software must run on isolated server.
Non-Techstaff managed systems
- Systems managed by people eligible for a CNET account
- No NFS home directories
- Systems managed by people not eligible for a CNET account
- Requires approval of NSIT and CS, and a CS sponsor
No NFS home directories
Firewall required to prohibit access to uchicago.edu
Subject to removal at any time by NSIT or CS

