INFN - LNF
Policy on Computing
Contents:
General policies
The Computing Service provides computing resources and networking services
for the INFN National Laboratories of Frascati. The following policy applies to the local computing
and network resources:
- computing resources of the Computing Service (centralized computing resources);
- machines of the Service to manage fundamental services (DNS, Mail, Web, etc.);
- mass storage of the Service (AFS Server, NAS, ADSM Library, etc.);
- X-Terminals, Network Computers and building printers;
- network equipments and services;
- software and data bought or produced by INFN to administer the systems.
Furthermore the Computing Service, compatibly with the available resources, provides the support to:
- the configuration and management of workstations and personal computers used by employees,
associated professors, guests, students etc., groups and experiments;
on-site in the institute, in laboratories;
- the use of the exported resources and of the LAN distributed devices (Computing Service managed).
Rules and regulations described in this document have been introduced to
protect data and systems, and to inform users and administrators on risks and
responsibilities due to improper use of the computing and network resources.
The Computing Service is delegated for:
- adopting security measures to protect the computing and network
resources;
- monitoring and controlling;
- informing and make users feel responsible about misusing the
computing resources, or unauthorized reproduction of licensed software.
The Computing Service maintains these pages to enhance public access to
information about its initiatives and policies in general. Our goal is to keep
this information timely and accurate. If errors are brought to our attention, we
will try to correct them.
However the material on this site is:
- information of a general nature only, which is not intended to address the
specific circumstances of any particular individual or entity;
- not necessarily comprehensive, but it must be considered integral part of the law in force in the computing and network security matter, that each user has to know and respect;
- sometimes linked to external sites over which the Computing Service has
no control and for which we assume no responsibility.
Registered and new users in the INFN National Laboratories of Frascati are due to
carefully read and subscribe this Policy. Any variation or updating will be
reported in Updates section.
Rules for an appropriate use
of the computing and network resources
Introductory statements:
- the following set of rules must be followed by all the users;
- users and system administrators are required to operate with judgement and
common sense;
- employees and registered users are responsible for their own actions under
the computer security policy;
- questions, doubts, suspicions and any other information should be
addressed as soon as possible to the Computing Service.
Access to the computing and network resources
- the access to computing and network resources is restricted to employees,
associated professors, guests, students authorized by the Computing Service;
- groups and services appoint a delegate for interfacing users and the
Computing Service personnel; the delegate maintains an updated list of the
authorized users;
- each computing resource is assigned to a user; users must sign in a document
for keeping or delegate the
responsibility on using and administering the computing resource;
- the responsible and the Computing Service reserve the right, if
necessary, to monitor, control and update the computing resource, in
compliance with the privacy
law.
Acceptable use of the computing and network resources
- Computing and network resources belong to INFN, and are devoted to
scientific and technological research.
- The following activities are prohibited:
- private business out of the contract of employment,
- legally prohibited activities (e.g.. violation of licenses),
- actions that are dangerous for the computing security,
- illegal activities.
Users responsibilities
- access to the computing and network resources is personal and cannot be
shared;
- users are responsible for the personal accounts and the system they can
access;
- users must protect their account with passwords;
- users are required to immediately report any suspicious incidents
involving the security of the INFN system, via e-mail to calcolo@lnf.infn.it;
- every so often users must control the Updates
pages.
Software
- responsible users are answerable for software installed on the computer or
account they administer, and if necessary they must provide to the purchase
or the regularization of the software;
- it's prohibited to distribute licensed software outside the license terms;
- it's prohibited to distribute software with the capability to break or
damage the system security, even via e-mail;
- it's forbidden to access other users personal data without explicit
approval.
The following activities are forbidden; some services may be used by
authorized Computing Service personnel for security purposes:
- using software able to gain unauthorized access to the computing resources
(e.g.. cracker or network monitoring software);
- configuring services already provided as centralized by the Computing
Service, as DNS (Domain
Name Service), DHCP (Dynamic Host Configuration Protocol),
NTP (Network Time Protocol), mailing, Web Servers, remote access (dial-up);
- routing, bridging, tunneling;
- using sniffer or similar.
System Administrators
- System administrators are required to work following the present local
Regulation, in compliance with the Italian privacy laws;
- the Computing Service and/or the system administrators reserve the right
to deny access to the computing and network resources
in case of misuse or illegal activities;
- it's forbidden to install software to compromise the system security;
- improper use of the computer and network resources must be immediately
reported to the Responsible of the Computing Service;
- the Computing Service personnel and local delegates should be able to
access the computing resource in every moment in case of emergency.
Moreover:
- it's prohibited to access the Computing Service rooms and access or
modify network hardware and boxes;
- it's prohibited to wire or connect any hardware or resource without authorization;
- it's prohibited to use network names and addresses not explicitly assigned
by the Computing Service;
- it's prohibited to install modems to access the LAN from outside LNF;
- it's prohibited to give anyone userID and password
for remote access to the LAN via the modems of the centralized dial-up service;
- it's prohibited to carry out activities in order to:
- alter or spoil the computing resources,
- deprive access to authorized users,
- obtain further resources, instead of those authorized,
- access to computing resources breaking the security measures;
- it's prohibited to make copies of the configuration and system files.
Actions not compliant with the Computing Service Policy will be considered
as a security violation, involving the denial of access to the computing and
network resources of the INFN National Laboratories of Frascati and will be reported to the
Responsible.
More serious offences will be submitted to the concerned office.
Security measures implemented by the Computing Service
- Services and programs transmitting clear password (e.g.. telnet, ftp, rsh, etc.) have been
limited to LNF internal use only; to access the LAN from outside they have been
replaced by encrypted protocols (e.g.. SSL - Secure Sockets Layer - and SSH - Secure Shell).
- Unnecessary services have been closed.
- Root access on the systems has been limited.
- Unused accounts are removed
- Computing Service uses system monitoring tools to control root access, password
cracking, system file modifications, etc.
- Computing Service uses network monitoring tools to control non authorized
access to the network etc..
- Computing Service has configured filtering and logging on routers.
- Computing Service uses other different security tools that are not
published for security reasons.
Required steps for users and
administrators
Users and Administrators must comply with the following requirements. Any
request for information should be addressed to the Computing Service.
General guidelines:
- each computing resource is entrusted to a responsible (the user, a
delegate or the Computing Service) charged for administration and
monitoring; in any case, users and delegated are responsible for their own
actions;
- the responsible (the user, or the local delegate, or the Computing Service)
need to know the root or
administrator's password to access every system for remote
administration, when necessary;
- systems should be maintained updated and secure: instructions are
reported in this document or can be obtained by the Computing Service
personnel;
- systems should be monitored; any suspicious incidents involving the
security of INFN computers or networks, including apparent attempts at
unauthorized access, should be reported immediately to the Computing
Service;
- users are required to make acceptable use of the computing and network
resources, using judgment and common sense.
Password guidelines:
- password should have at least 7 characters, and be composed by mixed lower
and upper case letters, numbers and special characters ; . & ^ % $ # ,
- avoid guessable words (every language!), proper or geographical names,
- change the password often, at least every two months,
- do not use the same password on different accounts,
- do not use logon scripts containing password.
Users guidelines:
- users are required do not communicate or share passwords, being
responsible for their own accounts;
- users can remotely access computing resources using SSH (instead of
telnet) and SCP (instead of ftp), assuring encrypted login;
- do not remotely mount filesystems;
- don't type your password from a non secure remote connection;
- use and update antivirus software; the Computing Service can help
providing software and licenses;
- close unused session and lock the console;
- when logging in, verify last login information;
- don't use .rhosts and /etc/hosts.equiv files;
- don't use world-writable files or directories;
- be careful using shareware or freeware software downloaded from the Internet or
coming from books or magazines;
- don't use software potentially dangerous (like IRC, Napster, etc.);
- when using floppy disk (or similar) comply with the following requirements:
- old, used and formatted floppies should undergo an antivirus scanning
before use;
- protect from writing setup and boot floppies, or floppies containing
executable files.
System administrators guidelines:
- system administrator are required to:
- use root authority sparingly and responsibly,
- limit and control other root access to the system,
- do not use root access from outside lnf.infn.it unless you really need
to,
- use the root password to manage the system, but not to access user
data you couldn't access with your own user-id,
- log in as root with "su" from your personal user account.
- system administrator are required to patch and update the systems they
administer;
- choose carefully the root password;
- monitor these aspects of your system:
- login failures,
- root access or su failures or successes,
- setuid programs,
- .rhosts files,
- system files changes,
- easily guessable passwords,
- /var/adm/messages or similar,
- activity log files (history or similar);
- don't install or use network snooping software;
- don't install or use sniffing software;
- don't use as root potentially dangerous programs (like IRC, ICQ, Napster or similar);
- don't publish personal Web sites: INFN Web site is a centralized service
provided by the Computing Service to groups and experiments; please,
contact the Computing Service if you have any other needs.
Windows user and Administrators guidelines:
- limit the Administrator access to system management;
- use and update antivirus programs (ask the Computing Service for any
need);
- perform periodical back-up;
- perform periodical Windows Operating System update (automatic update from:
Start - Windows update, or through the Microsoft official web
site http://windowsupdate.microsoft.com/);
- when possible, install Microsoft Windows critical update
notification (from the Microsoft web site);
- Internet Explorer 5:
- disable automatic Autocomplete (Tools - Internet options -
Advanced - Autocomplete) because it remember password;
- disable automatic execution of cookies and scripts (ActiveX, Java, ...) in
Tools
- Internet options - Security - Custom, and choose from time to
time to refuse or execute;
- Netscape 4.x:
- disable automatic execution of cookies and enable your browser to
accept only cookies that get sent back to the originating server
in Edit - Preferences - Advanced menu;
- Electronic mail:
- set your browser to show headers only without automatically open the
messages;
- do not open mail messages with *.vbs attachments (Visual Basic Script),
coming from insecure or unknown senders;
- do not forward messages with "Virus alert" (there is a
centralized service) or chain letters;
- do not reply to messages asking for unsubscription, if you was not
previously subscribed.
Computing Service
Last updated on Monday, 8-Nov-2000 16:51:05