The University of Glasgow Guidelines for System and Network Administrators
Draft (rev 1.1) for comment (30th July 2003)
Purpose
Network and Systems Administrators have privileges and duties that may bring them into contact with sensitive, restricted or personal information during the course of their work. The privileges they have with respect to system access, operation and maintenance are for the express purpose of ensuring maximum availability, integrity and security for the systems they are responsible for. The purpose of this Policy is to define the roles and responsibilities of Network and Systems Administrators from a network and systems security perspective. Heads of Departments, services and research groups who have a requirement to manage network segments or network servers and applications must ensure that these roles and responsibilities are properly addressed.
Scope
This Policy covers all personnel engaged in network and systems administration. It applies to central support staff as well as department, service and research support staff. The range of duties covered by this Policy include:
- Network support for:
- Infrastructure components
- LAN components
- Services and Applications
- Centralised core servers, services and applications
- Decentralised servers, services and applications
- Staff and Student desktop support
- Telephony services
- Support services e.g., network operators, systems operators, IT advisory services
- Any other privileged access to University Information systems
University Management are ultimately responsible for the actions of University staff and must ensure that all staff engaged in network and systems administration duties are suitable for those roles and are made aware of the University Policies, which affect their work or use of Information technology resources.
Policy
System and network administrators require formal authorisation from the "owners" of any equipment they are responsible for. The law refers to "the person with a right to control the operation or the use of the system". With respect to the University’s Information technology resources ‘ownership’ rests with the Secretary of the University Court acting on behalf of the University authorities. In accordance with current UK legislation, Service Directors and Heads of Departments or Research groups; require delegated authority from the Secretary of the University Court before they may authorise personnel to engage in network and system administration activities. Some systems may have more complicated ownership, as they may be formally the property of departments, research groups or third parties. In such cases it will be a condition of connecting to the University campus network that authority rests with the Secretary of the University Court.
If any administrator is ever unsure about the authority they are working under they should stop and seek advice immediately as otherwise there is a risk that their actions may be in breach of the law.
Permitted Activities
The duties of system and network administrators can be divided into two areas. The first duty of an administrator is to ensure that networks, systems and services are available to users and that information is processed and transferred correctly, preserving its integrity. Here the administrator is acting to protect the operation of the systems for which they are responsible. For example investigating a denial of service attack or a defaced web server is an operational activity as is the investigation of crime.
Many administrators also play a part in monitoring compliance with policies, which apply to the systems. For example some organisations may prohibit the sending or viewing of particular types of material; or may restrict access to certain external sites, or ban certain services from local systems or networks. The JANET Acceptable Use Policy prohibits certain uses of the network. In all of these cases the administrator is acting in support of policies, rather than protecting the operation of the system.
The law differentiates between operational and policy actions, for example in section 3(3) of the Regulation of Investigatory Powers Act, so the administrator should be clear, before undertaking any action, whether it is required as part of their operational or policy role. The two types of activity are dealt with separately in the following sections.
Operational activities
Where necessary to ensure the proper operation of networks or computer systems for which they are responsible, authorised administrators may:
- Monitor and record traffic on those networks or display it in an appropriate form;
- Examine any relevant files on those computers;
- Rename any relevant files on those computers or change their access permissions (see Modification of Data below);
- Create relevant new files on those computers.
Where the content of a file or communication appears to have been deliberately protected by the owner, for example by encrypting it, the administrator must not attempt to make the content readable without specific authorisation from management or the owner of the file.
The administrator must ensure that these activities do not result in the loss or destruction of information. If a change is made to user file store then the affected user(s) must be informed of the change and the reason for it as soon as possible after the event.
Policy activities
Administrators must not act to monitor or enforce policy unless they are sure that all reasonable efforts have been made to inform users both that such monitoring will be carried out and the policies to which it will apply. If this has not been done through a general notice to all users then before a file is examined, or a network communication monitored, individual permission must be obtained from all the owner(s) of files or all the parties involved in a network communication.
Provided administrators are satisfied that either a general notice has been given or specific permission granted, they may act as follows to support or enforce policy on computers and networks for which they have responsibility and authority:
- Monitor and record traffic on those networks or display it in an appropriate form;
- Examine any relevant files on those computers;
- Rename any relevant files on those computers or change their access permissions or ownership (see Modification of Data below);
- Create relevant new files on those computers;
- Under the direction and authority of the University of Glasgow Computer incident response team (UGCirt) recover computers for detailed inspection;
Where the content of a file or communication appears to have been deliberately protected by the owner, for example by encrypting it, the administrator must not attempt to make the content readable without specific authorisation from management or the owner of the file.
The administrator must ensure that these activities do not result in the loss or destruction of information. If a change is made to user file store then the affected user(s) must be informed of the change and the reason for it as soon as possible after the event.
General Roles and Responsibilities
This section describes the general roles and responsibilities applicable to network and system administrators. It is recognised that the terms network and systems administrators may mean different things to different constituencies e.g., some may use the terms interchangeably and some may combine the roles under one or the other title. However irrespective of terminology certain roles and responsibilities need to be identified and properly addressed.
Network administrators
Network administrators are responsible for the security and availability of the networks they manage. Network administrators must adhere to this and all relevant University Information Technology Policies, in particular:
- Universal Access Policy
- Network Connection Policy
- Wireless LAN Policy
- Network and Systems Monitoring Policy
- Incident Handling Policy
For each network there should be at least one network administrator available at all times during normal working hours and emergency call out procedures should be documented for other times. Network administrators should maintain a network topology map for all active equipment and proactively monitor network equipment for fault or other service affecting conditions. Detailed inventories should be maintained identifying equipment, location, purpose and maintenance schedules. All key network equipment should be manageable via snmp or other techniques. Network administrators should be aware that network equipment may be vulnerable to security attacks and should protect them accordingly, i.e.
- Restrict stations/networks allowed management access
- Restrict user, monitor and admin accounts
- Implement the University’s password policy
- Choose SNMP community strings wisely
- Implement ACLs where appropriate
- Implement ‘routing table updates’ security where appropriate
- Limit DoS impact, e.g., restrict and rate limit ICMP
- Limit management agents and services to those absolutely necessary
- Configure logging on Routing and switching equipment where appropriate. NB logs should be stored on a separate secure system
- Regularly review log files for unusual events or activities
- Report all network security incidents to the UGCirt
Management information should be collected and stored in a form that will aid the following activities:
- Performance monitoring, fault tracking and capacity planning
- Incident investigation
- Policy compliance monitoring
Network administrators should be aware of the roles and potential vulnerabilities associated with the systems that connect to their networks and provide advice to system administrators on proactive measures to help protect those systems. During the course of their duties network administrators may detect suspicious activity or security breaches. In all cases such incidents must be reported to the University of Glasgow Computer Incident Response Team, UGCirt. Network administrators will be expected to work with or under the direction of UGCirt to help resolve any security incident affecting their networks.
System administrators
System administrators are responsible for the security and availability of the network servers they manage. System administrators must adhere to this and all relevant University Information Technology Policies, in particular:
- Universal Access Policy
- Network Connection Policy
- Network and Systems Monitoring Policy
- Bastion Host Policy
- Incident Handling Policy
For each network server, service and application there should be at least one system administrator available at all times during normal working hours and emergency call out procedures should be documented for other times. It is recognised that many system administration activities will be operating system, service or application specific and that systems administrators must be proficient in those tasks. However there are a number of common security related tasks that system administrators must address irrespective of the operating environments involved i.e. they must:
- Understand the role of each server and its importance to the user community served
- Understand the range and types of vulnerabilities that may affect the systems they are responsible for
- Perform a risk analysis for each vulnerability and implement risk reduction measures where appropriate. This may be done in collaboration with UGCirt
- Perform regular systems maintenance functions with respect to the following:
- Operating system patches and hot fixes
- Service and application patches and hot fixes
- Operating system, service and application software updates and new releases
- Implement vendor security configurations and recommendations. Systems administrators should familiarise themselves with all vendor specific security recommendations and relevant ‘best practice’ guides advertised by UGCirt
- Implement procedures that ensure early notification of newly detected vulnerabilities and vendor security patches
- Discuss security requirements with UGCirt.
- Limit operating system options, features, services and applications to those essential for the primary purpose of the network server
- Disable all IP application and service ports that are not required for the servers primary role
- Install additional proactive security measures where appropriate, e.g.,
- TCP-Wrappers or their equivalents to limit the servers visibility
- Anti-virus software to protect against malicious code
- Access control lists (ACLs) to restrict access and service/application visibility
- Firewall shims to extend ACLs with statefull inspections
- Enable operating system, service and application logging to record the following:
- Connection attempts
- Authentication results
- Network interface statistics
- Unusual events
Wherever possible logs should be forwarded to a secure system for storage. It is essential that internal system clocks be synchronised via the Network Time Protocol, NTP, to ensure accurate correlation between evidence gathered from system logs.
- Review system logs regularly
- Checkpoint system file store with an auditing tool e.g., tripwire to help detect root kits or other altered system images
- Monitor systems operating parameters for unusual events, processes, access problems, disk anomalies
- Ensure all user access is authenticated and advise users on system authentication requirements e.g., University password recommendations, strong encryption (SSH) for remote access to user accounts if required
- Limit user rights to the minimum necessary to conduct their work
- If remote management access to a server is required then enforce strong encryption via SSH
- Restrict the use of the administrator account to tasks associated with systems administration
- Only access administrator accounts from systems and networks that are known to be secure
- Disable or delete old or unused user accounts that are no longer needed
- Produce disaster recovery plan for server, services and applications
- Perform regular server backups and maintain at least 2 copies; one copy should be stored locally and the other at a convenient remote site.
- Test restore/recovery procedures periodically
- Report all security incidents to UGCirt
- Request vulnerability scans from UGCirt at least twice per year
- Ensure compliance with all University information technology policies, UK laws and regulations
During the course of their duties System administrators may detect suspicious activity or security breaches. In all cases such incidents must be reported to the University of Glasgow Computer Incident Response Team, UGCirt. System administrators will be expected to work with or under the direction of UGCirt to help resolve any security incident affecting their systems.
Management responsibility
Management should restrict the number of persons granted privileged systems or network equipment access to those responsible for the day-to-day operation and support of the systems and networks. Granting authority and privileged access to network and networked systems represents a delegation of trust in selected individuals. System and network administrators should therefore be chosen carefully, based on personal qualities of honesty, integrity and unquestionable work ethics. Management must ensure that system and network administrators are competent for the tasks they are expected to perform and that they comply with all relevant Information Technology Policies. Management must be aware of the importance of the support roles and responsibilities associated with network administration or deploying a network server, service or application. If management cannot fulfil these obligations they should seek alternative solutions from centrally provided facilities.
Ethical considerations
Systems and Network administrators play a critical role in the security and availability of the systems and networks they are responsible for. During the course of their duties it is inevitable that they will come into contact with sensitive, personal or restricted information. For these reasons system and network administrators must display an exemplary work ethic. The following sections indicate the ethical standards expected of system and network administrators employed by the University of Glasgow.
Disclosure of information
System and network administrators are required to respect the confidentiality of files, correspondence and other data they come into contact with.
During the course of their activities, administrators are likely to become aware of information, which is held by, or concerns, other users. Any information obtained must be treated as confidential - it must neither be acted upon, nor disclosed to any other person unless this is required as part of a specific incident handling procedure:
- Information relating to the current incident may only be passed to managers or others involved in the incident;
- Information that does not relate to the current incident must only be disclosed if it is thought to indicate an operational problem, or a breach of local policy or the law, and then only to management for them to decide whether further investigation is necessary.
Administrators must be aware of the need to protect the privacy of personal data and sensitive personal data (within the meaning of the Data Protection Act 1998) that is stored on their systems. Authorised administrators may know such data during the course of their investigations. Particularly where this affects sensitive personal data, any unexpected disclosure should be reported to the relevant University authority and the UGCirt.
Modification of Data
For both operational and policy reasons, it may be necessary for administrators to make changes to user files on computers for which they are responsible. Wherever possible this should be done in such a way that the information in the files is preserved:
- Rename or move files, if necessary to a secure off-line archive, rather than deleting them;
- Instead of editing a file, move it to a different location and create a new file in its place;
- Remove information from public view by changing permissions (and if necessary ownership).
Where possible the permission of the owner of the file should be obtained before any change is made, but there may be urgent situations where this is not possible. In every case the user must be informed as soon as possible what change has been made and the reason for it.
The administrator may not, without specific individual authorisation from the appropriate authority modify the contents of any file in such a way as to damage or destroy information.
Professionalism
Administrator behaviour must reflect highly on the importance of the role and duties performed. Administrators will be required to work with individuals at all levels including users, senior management, vendors and other administrators and should display patience, understanding and professionalism to help ensure trust and respect is never compromised.