UIS.203.1T Configuration Management Implementation Guide

In support of UIS.203 Configuration Management Policy

Georgetown University has adopted the configuration management principles established in NIST SP 800-171 “Configuration Management” control guidelines as the official policy for this security domain. Each system administrator and system owner must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework.

Baseline configurations are documented, formally reviewed, and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to University systems, system components, and networks. 

Configuration of servers and end-user workstations 

Servers and end-user workstations must be configured to audit for the following events:

  • Server startup and shutdown

  • Starting and stopping of audit functions

  • Loading and unloading of services

  • Installation and removal of software 

  • System alerts and error messages

  • Application alerts and error messages

  • Modifications to system applications

  • User logon and logoff

  • System administration activities, such as Windows “runas” or Linux “su” use.

  • Access to information, files, and systems

  • Account creation, modification, or deletion

  • Password changes

  • Modifications of access controls, such as change of file or user permissions or privileges (e.g., use of suid/guid, chown, su)

  • Additional security-related events, as required by the system owner or to support the nature of the supported business and applications

  • Clearing of the audit log file

  • Remote access outside of the agency network communication channels (e.g., modems, dedicated VPN) and all dial-in access to the system

  • Changes made to an application or database by a batch file

  • Application-critical record changes

Configuration of network devices

Network devices (e.g., router, firewall, switch, wireless access point) must be configured to audit for the following events: 

  • Device startup and shutdown

  • Administrator logon and logoff

  • Configuration changes 

  • Account creation, modification, or deletion

  • Modifications of privileges and access controls

  • System alerts and error messages 

Control Network Management Configuration

Network and network devices must meet the following configuration standards to minimize the potential risk to the University from the damage to public image caused by unauthorized use of the University resources and the loss of University data and intellectual property:

  • Network devices data is classified as High risk data. 
  • Network devices must be inventoried in the University asset management system with a designated point of contact.
  • All applicable security patches and device updates must be installed, unless otherwise exempted by authority of the CISO
  • Remote access to the device for all administrative or support tasks must be secure: 
    • All access must be via the University VPN. 
    • Must use an approved University elevated account.
    • Must be via a University-managed workstation.
       
  • Firewalls must be configured in accordance with Configuration Management Policy, and the business needs. 
    • Any form of cross-connection which bypasses the firewalls is strictly prohibited.  Any exceptions must be approved by UISO.
    • Original firewall configurations and any associated changes must be reviewed and approved by the UISO (including both general configurations and rule sets). 
    • All firewall and network control devices are maintained by the UIS.

  • Routers and switches must use Terminal Access Controller Access-Control System Plus (TACACS+) for all user authentication.  Local user accounts configured on the router are for emergency access only and must meet the following requirements:

    • Only used when TACACS+ is not available

    • Passwords must meet the University password security policy

    • Password must be unique for each University device

  • The enabled password for the router or switch must be kept in a secure encrypted form, which must be stored in the Enterprise password store (CYBERARK).

  • The following services or features must be disabled unless a business justification is provided: 

    • IP directed broadcasts  

    • Incoming packets at the router/switch sourced with invalid addresses such as RFC1918 addresses 

    • TCP small services  

    • UDP small services 

    • All source routing and switching 

    • All web services running on router 

    • University discovery protocol on Internet-connected interfaces 

    • Telnet, FTP, and HTTP services 

    • Auto-configuration

    • Dynamic trunking 

    • Scripting environments, such as the TCL shell   

  • Use University standardized Simple Network Time Protocol (SNMP) community strings. Default strings, such as public or private must be removed. SNMP must be configured to use the most secure version of the protocol allowed for by the combination of the device and management systems. 
  • Access control lists must be used to limit the source, destination and type of traffic that can terminate on the device itself. 
  • Access control lists for transiting the device are to be added as business needs arise.
  • Each router must have the following statement presented for all forms of login whether remote or local:  
    “UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. There is no right to privacy on this device. Use of this system shall constitute consent to monitoring.”  
  • Dynamic routing protocols must use authentication in routing updates sent to neighbors. Password hashing for the authentication string must be enabled when supported.
  • The University router configuration standard defines the category of sensitive routing and switching devices, and require additional services or configuration on sensitive devices including: ​
    • IP access list accounting 
    • Device logging 
    • Incoming packets at the router sourced with invalid addresses, such as RFC1918 addresses, or those that could be used to spoof network traffic shall be dropped 
    • Router console and modem access must be restricted by additional security controls.
  • Remote maintenance must be performed over secure channels (e.g., encrypted network connections using SSH or IPSEC) or Virtual Private Network (VPN) access independent from the University networks.