College of Chemistry - Information Systems

BigFix Solution

Information Systems

»  Overview
»  Support
»  IBM BigFix
»  Network
»  Web Services
»  Telecommunication
»  Computational Chemistry
»  Policies
»  Licensed Software
»  Campus Resources

Overview
The College of Chemistry has partnered with Campus to provide IBM’s BigFix solution to all computers using its networks. BigFix provides patch management for Microsoft Windows, Mac OS X, and a large number of applications including but not limited to Microsoft Office for Win/Mac, Adobe Acrobat/Reader/Flash, Sun Java, and Mozilla Firefox.

Attacks on laptop and desktop computers are a growing problem on the Internet. With vulnerabilities being discovered daily, systems that are not patched in a timely manner are more susceptible to malware and viruses, thus, increasing risk to the rest of the network. This emphasizes the need for the BigFix solution which will keep computers up to date, reduce downtime due to compromises, and allow users to maximize efficiency in their research and everyday operations.

Features

BigFix software on computers communicates with the BigFix server periodically for the latest updates that need to be installed.
Enables Chemistry’s BigFix Administrators to rapidly release security patches as soon as they are available from vendors and after being tested in our Q/A environment.
Patches are assigned at a central console and distributed to computers at scheduled times without interfering or requiring interaction from the end-user.

BigFix Installation and Systems with Exemption Status
Systems will generally fall into one of the below listed categories. If you have questions, contact Information Systems at 642-4838 or support@cchem.berkeley.edu

Systems meeting MSS and are REQUIRED to have BigFix:

All laptops and desktops running Windows XP, Vista, 7 and OS X 10.5 or greater
All servers running Windows 2003/2008 or Mac OS X Server 10.5 and above

Systems meeting MSS and are EXEMPT from having BigFix:

Lab Instruments and Control Machines
Unix/Linux Machines
Undergraduate Students’ Personal Computers
Visitors Staying Less Than 3 Months
Approved Devices and Machines (i.e. Purchase storage on file server)
Approved Servers (Requires an electronically signed agreement from the PI)

Systems NOT meeting MSS and are EXEMPT from having BigFix:

Operating System Lifecycle Ended/Non-Supported (vendor no longer provides patches)
Systems that must remain unpatched due to software configuration

These systems must follow one of below options:

File an exception with campus and place the system behind a hardware firewall (All exception requests will be assisted by Information Systems. Please provide the group name, building name, room number, and IP address of machines requiring exceptions to support@cchem.berkeley.edu)
Take completely offline

How to Install
Due to recent changes on Campus this patching service is only available for Faculty and Staff. Send email to support@cchem.berkeley.edu and we will be happy to assist you with the installation process.

Operating System and Software Patching

Patches and Updates will go through testing for quality assurance and then released within two calendar weeks from when they are made available by the vendor
- Some patches will be excluded if they interfere with access or functionality to online campus systems
Depending on criticality, patches may be released the same day they are made available
When patches are released, the user will always be prompted with a confirmation window to proceed with installation
Once released, a 24 hour window will be allocated for the user to install patches and a 30 min grace period to restart machines if needed

Compromised Machines
If a system is compromised, we will notify the research group and can provide assistance to clean off the computer. In extreme cases, systems may be required to be reformatted and rebuilt by either the end user or Information Systems. In either case, BigFix will be installed as part of the clean-up process and the compromised machine will need to be inspected to assure it is properly secured. If the end user cannot be located, the system will be blocked from the campus network.

Operating Systems Updated
Microsoft Windows XP, Vista, 7 and OS X 10.5 or greater
Windows 2003/2008 and Mac OS X Server 10.5 or greater

Software on both Windows and Apple Operating Systems Updated
Microsoft Office 2003 or greater
Adobe Acrobat/Reader/Flash
Sun Java
Mozilla Firefox
Apple Quicktime
Apple ITunes

*Campus Minimum Security Standards (MSS) For Network Devices

1. Software Patch Updates
Campus networked devices must have all currently available security patches installed. Exceptions may be made for patches that compromise the usability of critical applications.

2. Anti-virus Software
Anti-virus software must be installed and set to update daily.

3. Host-based Firewall Software
Host-based firewall software for any particular type of device must be running and configured on every level of device, including clients, file servers, mail servers, and other types of campus networked devices.

4. Passwords
Campus electronic communications systems or services must identify users and authorize access by means of passwords or other secure authentication processes (e.g. biometrics or Smart Cards). When passwords are used, they must meet be a minimum of 8 characters using numbers, letters, and punctuation. Shared-access systems must enforce these standards whenever possible and appropriate. All default passwords for access to network-accessible devices must be modified.

5. No Unencrypted Authentication
All campus devices must use only encrypted authentication mechanisms unless an exception is granted by campus. Insecure services such as Telnet, FTP, SNMP, POP, and IMAP must be replaced by their encrypted equivalent.

6. No Unauthenticated Email Relays
Campus devices must not provide an active SMTP service that allows unauthorized third parties to relay email messages, i.e., to process an email message where neither the sender nor the recipient is a local user.

7. No Unauthenticated Proxy Services
Unauthenticated proxy servers may enable an attacker to execute malicious programs on the server in the context of an anonymous user account. Unless an unauthenticated proxy server has been approved by the campus as to configuration and appropriate use, it is not allowed on the campus network. In particular, software program default settings in which proxy servers are automatically enabled must be identified by the system administrator and re-configured to prevent unauthenticated proxy services.

8. Physical Security
Unauthorized physical access to an unattended device can result in harmful or fraudulent modification of data, fraudulent email use, or any number of other potentially dangerous situations. In light of this, where possible and appropriate, devices must be configured to "lock" and require a user to re-authenticate if left unattended for more than 20 minutes.

9. Unnecessary Services
If a service is not necessary for the intended purpose or operation of the device, that service shall not be running.