The College of Chemistry has partnered with Campus to provide IBM’s BigFix solution to all computers using its networks. BigFix provides patch management for Microsoft Windows, Mac OS X, and a large number of applications including but not limited to Microsoft Office for Win/Mac, Adobe Acrobat/Reader/Flash, Sun Java, and Mozilla Firefox.
Attacks on laptop and desktop computers are a growing problem on the Internet. With vulnerabilities being discovered daily, systems that are not patched in a timely manner are more susceptible to malware and viruses, thus, increasing risk to the rest of the network. This emphasizes the need for the BigFix solution which will keep computers up to date, reduce downtime due to compromises, and allow users to maximize efficiency in their research and everyday operations.
BigFix Installation and Systems with Exemption Status
Systems will generally fall into one of the below listed categories. If you have questions, contact Information Systems at 642-4838 or firstname.lastname@example.org
Systems NOT meeting MSS and are EXEMPT from having BigFix:
These systems must follow one of below options:
How to Install
Due to recent changes on Campus this patching service is only available for Faculty and Staff. Send email to email@example.com and we will be happy to assist you with the installation process.
Operating System and Software Patching
If a system is compromised, we will notify the research group and can provide assistance to clean off the computer. In extreme cases, systems may be required to be reformatted and rebuilt by either the end user or Information Systems. In either case, BigFix will be installed as part of the clean-up process and the compromised machine will need to be inspected to assure it is properly secured. If the end user cannot be located, the system will be blocked from the campus network.
Operating Systems Updated
Microsoft Windows XP, Vista, 7 and OS X 10.5 or greater
Windows 2003/2008 and Mac OS X Server 10.5 or greater
Software on both Windows and Apple Operating Systems Updated
Microsoft Office 2003 or greater
1. Software Patch Updates
Campus networked devices must have all currently available security patches installed. Exceptions may be made for patches that compromise the usability of critical applications.
2. Anti-virus Software
Anti-virus software must be installed and set to update daily.
3. Host-based Firewall Software
Host-based firewall software for any particular type of device must be running and configured on every level of device, including clients, file servers, mail servers, and other types of campus networked devices.
Campus electronic communications systems or services must identify users and authorize access by means of passwords or other secure authentication processes (e.g. biometrics or Smart Cards). When passwords are used, they must meet be a minimum of 8 characters using numbers, letters, and punctuation. Shared-access systems must enforce these standards whenever possible and appropriate. All default passwords for access to network-accessible devices must be modified.
5. No Unencrypted Authentication
All campus devices must use only encrypted authentication mechanisms unless an exception is granted by campus. Insecure services such as Telnet, FTP, SNMP, POP, and IMAP must be replaced by their encrypted equivalent.
6. No Unauthenticated Email Relays
Campus devices must not provide an active SMTP service that allows unauthorized third parties to relay email messages, i.e., to process an email message where neither the sender nor the recipient is a local user.
7. No Unauthenticated Proxy Services
Unauthenticated proxy servers may enable an attacker to execute malicious programs on the server in the context of an anonymous user account. Unless an unauthenticated proxy server has been approved by the campus as to configuration and appropriate use, it is not allowed on the campus network. In particular, software program default settings in which proxy servers are automatically enabled must be identified by the system administrator and re-configured to prevent unauthenticated proxy services.
8. Physical Security
Unauthorized physical access to an unattended device can result in harmful or fraudulent modification of data, fraudulent email use, or any number of other potentially dangerous situations. In light of this, where possible and appropriate, devices must be configured to "lock" and require a user to re-authenticate if left unattended for more than 20 minutes.
9. Unnecessary Services
If a service is not necessary for the intended purpose or operation of the device, that service shall not be running.