Engineering IT Standards
Draft For Consultation
DRAFT: November 2, 2022
(Minor edits Nov 28, 2023)
These standards will apply to all IT winthin the Faculty of Engineering at the University of Waterloo after a third discussion at ESAG (Engineering System Administrator’s Group) in September 2023, chaired by the Director of Engineering Computing. Previous discussions raised no objections, but minor wording changes have improved clarity, and WCAG added.
- Very frequent security alerts (due to unidentified machines we have to find) result in inefficient use of resources while exposing us to risk. Also, we run out of IP addresses in E5-7 on certain days due to lack of sufficient IPs.
Every work related computing system with an on-campus Ethernet or otherwise wired IP address must be registered in campus DNS with either a permanent employee or preferably an IT service group mailing list designated as a technical contact.
Dynamic IP addresses on the Ethernet should be reserved for short-term usage, such as laptops on 802.1X authenticated Ethernet, IOT devices, and temporary workstations which will be relocated to a more permanent location. Note that dynamic systems with no technical contact will be removed and permanently blacklisted from the network at the first instance of security issues with no prior notice.
Conversely, computers using only the wireless networks or “wired wireless” are not required to be registered only if they use authenticated access through either Eduroam or 802.1X Ethernet.
- Security issues need to be resolved in a timely fashion without disrupting others.
Every Engineering system must have a permanent employee (staff or faculty) with access to system management. So even if graduate or undergraduate students are given access or privileges, there must be a permanent employee with administrative access to solve problems as they arise.
- Staff leave (retire, get sick, take other jobs elsewhere, etc.) has created a scenario in which nobody has access to root/Administrator on many machines. Several in the past year made this obvious.
Every work related computing system must have its root or Administrator password stored (in escrow) on paper or on file with the departmental Administrative Officer (or equivalent), or with Engineering Computing, or a third party registered with Engineering Computing that we know we can contact in an emergency when staff are absent.
- Near constant security alerts because we are letting users run their workstations as Web servers. User applications often require reduced security in order to work well.
Public-facing Web servers should only be run on staff-managed, well-maintained servers. All user workstations must be moved to client-only subnets. Users should not be running public-facing Web servers on workstations. If offsite access is needed, all workstation ports can be accessed remotely using the campus VPN. There are legacy situations where workstations have run public-facing Web servers historically, these sites must be migrated to servers.
- We are under constant attack from hackers (both state and criminal). The current campus standard is for better authentication methods.
Computers which publicly expose remote terminal access (through RDP, SSH, etc.) must be configured to either only use SSHkeys, or multifactor authentication for off-site access in order to reduce risk of brute force password attacks or credential theft from other systems. If one can log in with just a userid and password, it must not be accessible off campus except through the VPN.
- IST identify several machines per week which have outdated software with known security issues.
All software (including operating systems) must use currently supported versions and we must retire End-of-Life software or restrict it sufficiently to minimize risks. For current support details of most popular software, [endoflife.date](see: https://endoflife.date/)
Departmental IT staff are expected to manage systems and not just install them.
- When trying to determine the degree of damage after an attack, we need to have logs of access.
All remotely accessible systems must maintain logs of logins and remote access for at least 14 days as these may be needed to facilitate security and technical reviews from time to time.
- Sometimes students and other users have set up external access to UW through the cloud, exposing us to security attacks, and violating campus software licenses.
Use of cloud-tunneling channels to surreptitiously provide remote access to UW Engineering devices behind client-only subnets is prohibited unless explicit permission is granted by the Director of Engineering Computing.
In other words, if UW believes the device is on a client-only subnet, it cannot be exposed to the world using other means.
- The Ontario government requires compliance with WCAG 2.0 for certain sitatuations such as public web pages of entities like the University. More details can be found at Ontario Government Accessibility and more technical info at Ontario….
UW Public web pages must meet Ontario laws regarding accessibility.
-
(Added Nov 28, 2023) Computers that hold any private information must have drive encryption. The built-in BitLocker or Apple’s encryption are both sufficient. Escrow keys should be stored either in Active Directory or in a shared folder among IT staff following the same guidelines as other passwords.
-
All Engineering computers and IT operations are also subject to the campus-wide standards, policies and guidelines published at Policies
If IT staff observe activity or configurations which appear to contravene either Engineering or Campus rules or standards, they have an obligation to report such matters to the Director of Engineering Computing who will assess the problem and inform others as required, including IST, the Executive Officer, the privacy officer, or others as appropriate. Or for imminent security matters, contact the Secuirty Operations Cenre