Infrastructure Upgraderemote Access Dial In

Security Administration Policy:

Infrastructure UpgradeRemote Access – Dial In

Presented by:

FrontWayTechnology Systems Security

Rev. 15

Security Administration Policy

Remote Access via Dial In Access Server

Table of Contents

I.Purpose

II. Scope

III. DEPLOYMENT Guidelines

IV. Policy...... 2

V.Enforcement...... 4

VI. Summary...... 4

Page 1

Security Administration Policy

Remote Access via Dial In Access Server

I. Purpose

The purpose of this policy is to provide guidelines for use of Cleveland Metropolitan School District’s remote access network.

II. Scope

This policy applies to all Cleveland Metropolitan School students, staff, employees, contractors, consultants, and temporaries, including all personnel affiliated with third parties utilizing district resources to access the Cleveland Metropolitan Schools network. This policy applies to any device attempting remote connection to the district via the public telephone systems.

III. Deployment Guidelines On Remote Access

The Cleveland Metropolitan Schools provides remote dial-in access for users requiring connections from locations outside the Districts buildings. Authentication for remote connections is provided via accounting and authorization servers. Users must have a valid username and password to authenticate via the Remote Access servers. Usernames and passwords can be requested by completing a Computer Security Authorization (CSA) form.

IV. Policy

Below are the Districts policies with respect to Remote Access from Dial In Connections:

A. General

• It is the responsibility of Cleveland Metropolitan School District employees, contractors, vendors and agents with remote access privileges to the CMSD network to ensure that their remote access connection is given the same consideration as the user's on-site connection.
• Remote Access Services are a user-managed service. This means that the user is responsible for selecting an Internet Service Provider (ISP), coordinating installation, configuring and installing any required software, and paying associated fees.
• Users requesting Remote Access need to complete a Remote Access Request form.

B. Requirements

• Secure remote access must be strictly controlled. Control will be enforced via one-time password authentication or public/private keys with strong pass-phrases. For information on creating a strong pass-phrase see the Password Policy.
• Users must have an Active Directory account or manually entered username and password since this connectivity is authenticated via Cisco’s Secured Access Control Service.
• The client workstation must have a remote access client capable of CHAP authentication.
• At no time should any CMSD employee, vendor or 3rd party provide their login or email password to anyone, not even family members.
• CMSD employees and contractors with remote access privileges must ensure that their Cleveland Metropolitan School District-owned laptop computer or workstation, which is remotely connected to Cleveland Metropolitan School District's network, is not connected to any other network at the same time.
• Reconfiguration of CMSD owned equipment for the purpose of split-tunneling or dual homing is not permitted at any time.
• All hosts that are connected to Cleveland Metropolitan School Districti nternal networks via remote access technologies must use the most up-to-date anti-virus software.
• CMSD does not authorize nor support installation of this the VPN client software on Non-CMSD equipment.
  

C. Remote Access User Account and Scripting

• Current users in CMSD.NET have access by default if they have a current Active Directory logon. No significant account changes are necessary.
• If a user resides outside of the above domains, they must be a member of the Teacher, Office, or Notes group to authenticate correctly. Due to the fact we a utilizing Windows Group Policies to lock desktops at the schools, we create an account the Masterdom1 domain for staff users in school domains seeking remote dial in connection. This prevents a policy lock on home PCs.
• A home directory should be specified for each user account and reside on the applicable domain server.
• All users residing on CMSD.NET domain should have a logon script or profile that maps network shares.

V. Enforcement

Any employee found to have violated this policy, shall be subject to disciplinary action, up to and including termination of employment. Any student found in violation will be subject to school buildings defined disciplinary action for unacceptable behavior and district property damage.

VI. Summary

Remote Access Services are a privilege for CMSD users that demonstrate the need. When using RAS to connect to the CMSD network users must observe the approved RAS policy. Unauthorized or unapproved usage can open the CMSD network to security vulnerabilities. Users requesting RAS will have to acquire approval through their respective managers and CMSD Technology Systems Security.

Page 1