Configuration Management Policy
Title:
Configuration Management Policy
Effective Date:
October 17, 2022
Responsible Office:
Information Technology
Last Updated:
May 17, 2024
Purpose
This policy details the security configuration requirements for information technology systems connected to the William & Mary network.
Scope
The scope of this policy Includes any device connected to the William & Mary network.
Policy
1. Operating System
All networked devices must be running a currently supported OS that is eligible for security updates. See the university’s OS Support Standard for guidance.
2. Software Patch Updates
Campus networked devices must only run software/firmware for which vendor supplied security patches are made available. All currently available security patches must be applied on a schedule appropriate to the severity of the risk they mitigate. Updates identified as Critical must be applied within 30 days of release. Critical is defined as a vulnerability with a score higher than 9.0.
3. Anti-Malware Software
For Microsoft Windows, Apple macOS, or Linux computers for which anti-malware software is available, anti-malware software must be running and up to date. In addition, the software must run real-time scanning and scan the device regularly.
4. Host-Based Firewall Software
For devices for which host-based firewall software is available, host-based firewall software must be running and configured to block all inbound traffic that is not explicitly required for the intended use of the device. Use of a network-based firewall does not obviate the need for host-based firewalls.
5. Authentication
Network services and local (console) device access must require authentication using passphrases or other secure authentication mechanisms unless the explicit purpose of the service/device is to provide unauthenticated access (for example: public web servers or public kiosks) and it can do so without readily allowing it to be used by attackers. Notably, the following network services must require authentication: proxy services, email (SMTP) relays, wireless access points, and SSH shell access.
Simple devices like printers, game consoles, and media extenders that do not support local authentication are exempt from this requirement provided that physical access is restricted. This exemption does not extend to network-facing services running on the device.
Two factor authentication is required on all university-owned or leased user devices and for any privileged account access to devices or servers.
6. Passphrase Complexity
When passphrases are used, they must meet the following complexity specifications:
Passphrases MUST:
a) Contain eight characters or more
b) Contain characters from two of the following three character classes:
II. Numeric (i.e., 0-9)
III. Punctuation and other characters (e.g., !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)
Multi-user systems must be configured to enforce these complexity requirements and require that users change any pre-assigned passphrases immediately upon initial access to the account.
All default passphrases for access to network-accessible accounts must be changed at the time of network connection.
7. No unattended Console Sessions
Devices must be configured to "lock" or log out and require a user to re-authenticate if left unattended for more than 20 minutes, except in the following cases:
Devices without auto-locking/logoff capability: Devices that do not support a configuration that automatically locks or logs off users after a specified period of time (such as network appliances and consumer electronics) may meet this standard through alternate controls, such as physical access restrictions (e.g., appliance stored in a locked office).
Devices which are physically secured: Devices kept in a physically secured space not accessible by unauthorized users are exempt from this standard.
Kiosks and other public-use devices: Devices configured to satisfy the Campus Guidelines for Kiosk Workstations (e.g., public-use workstations in libraries and room/event scheduling panels) are exempt from this requirement.
8. No Unnecessary Services
If a network service is not necessary for the intended purpose or operation of the device, that service must not be running.
9. Privileged Accounts
Privileged and super-user accounts (Administrator, root, etc.) must not be used for non-administrator activities. A secure mechanism to escalate privileges (e.g., via User Account Control or via sudo) with a standard account is acceptable to meet this requirement. Network services must run under accounts assigned the minimum necessary privileges.
The following case is exempted from this requirement:
Devices that do not support separation of privileges: Devices that do not provide separate facilities for privileged or unprivileged access (e.g., some network appliances and printers with embedded operating systems) are exempt from this requirement.
Computers and Other Devices
University-owned desktops, laptops, tablets, and other mobile computing devices:
- must have full disk encryption enabled unless circumstances prevent it. Where feasible, all endpoints should have full disk encryption enabled.
- must be managed and secured centrally by an endpoint management tool.
- must have a baseline configuration that is reviewed annually.
Servers
- Backups
- System administrators must establish and follow a procedure to carry out regular system backups.
- Backup procedures must include at least one encrypted or immutable copy of any data classified as critical or sensitive and must be stored off-site.
- Backups verified at least monthly, either through automated verification, through customer restores, or through trial restores.
- Systems administrators maintain documented restoration procedures for systems and the data on those systems.
- Change Management
- There is a change management process for changes to critical or sensitive systems. This process must be documented.
- Patches and system changes are evaluated prior to being applied in a production environment.
- Patches and significant system changes are tested prior to installation in the production environment if a test environment is available.
- If a test environment is not available, the lack of patch/change testing is communicated to the service subscriber or data customer, along with possible changes in the environment due to the patch/change.
- System Hardening
- All systems will be hardened using the security configuration benchmarks published by the Center of Internet Security as a guideline.
- Security configurations that are deemed non-applicable or risky to the university will have documented exceptions.
- All servers must have a supported operating system and application security patches must be installed in a timely fashion.
- All Windows servers must run an anti-virus software program that is regularly updated with the latest virus definitions available.
- Unnecessary accounts and services should be disabled or blocked.
- A host-based firewall should be in use.
- All authentication must be encrypted.
- A system administrator must be identified.
- A backup and recovery process should be in place and tested regularly.
- Passwords must be changed from the vendor defaults.
- System configurations must be reviewed annually.
- Security
- If the operating system comes with a means to log activity, these controls are enabled and tested.
- Operating system and service log monitoring and analysis is performed routinely. This process is documented.
- A security administrator follows a documented backup strategy for security logs (for example, account management, access control, data integrity, etc.). Security logs are retained at least 90 days of relevant log information (data retention requirements for specific data should be considered).
- Copies of security logs must be stored off-device in a separate log server.
- Vulnerability Management
- Critical and sensitive systems will be scanned weekly, and reports sent to the Information Security team.
- Vulnerability reports will be reviewed to ensure patching cadence is being adhered to and to ensure all relevant and critical vulnerabilities are patched within 30 days of notification.
Exceptions
Exceptions to any of these requirements must be reviewed and documented by the Information Security team.
Questions?
Contact the Technology Support Center (TSC)
757-221-4357 (HELP) | support@wm.edu | Monday - Friday, 8:00 am - 5:00 pm