Microsoft Windows Client Security Policy. Version 2.1 POL 033

Similar documents
PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

NETWORK AND INTERNET SECURITY POLICY STATEMENT

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 3 Installing Windows

Data Stored on a Windows Computer Connected to a Network

Information Security Policy. Policy and Procedures

Newcastle University Information Security Procedures Version 3

Walton Centre. Document History Date Version Author Changes 01/10/ A Cobain L Wyatt 31/03/ L Wyatt Update to procedure

Cyber Essentials Questionnaire

System Security Policy Management: Advanced Audit Tasks

Desktop Web Access Single Sign-On Configuration Guide

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Full disk encryption with Sophos Safeguard Enterprise With Two-Factor authentication of Users Using SecurAccess by SecurEnvoy

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

Data Stored on a Windows Server Connected to a Network

INFORMATION TECHNOLOGY SECURITY STANDARDS

GETTING STARTED WITH A COMPUTER SYSTEM FACTSHEET

ScoMIS Encryption Service

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

Karen Winter Service Manager Schools and Traded Services

Cyber Essentials Scheme

Computer Security Policy (Interim)

Information Security Baseline (minimal measures)

Getting Started. Symantec Client Security. About Symantec Client Security. How to get started

Policy Document. Communications and Operation Management Policy

University of Liverpool

Remote Access and Mobile Working Policy. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.1. Approval. Review By June 2012

Pearl Echo Installation Checklist

Operating System Installation Guide

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Installation Guide

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Creating a New Domain Tree in the Forest

System Management. What are my options for deploying System Management on remote computers?

ISO27001 Controls and Objectives

Symantec Backup Exec 12.5 for Windows Servers. Quick Installation Guide

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

SOS Suite Installation Guide

Student Halls Network. Connection Guide

Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses

HIPAA Security Training Manual

Service Children s Education

ABERDARE COMMUNITY SCHOOL

XenApp 7.7 Deployment ISO. 5 th January 2016

3 Setting up Databases on a Microsoft SQL 7.0 Server

HP RDX Continuous Data Protection Software Quickstart Guide

Cloning Utility for Rockwell Automation Industrial Computers

1. Set Daylight Savings Time Create Migrator Account Assign Migrator Account to Administrator group... 4

ICE.TCP Pro Update Installation Notes

IT Security Procedure

SERVICES BRONZE SILVER GOLD PLATINUM. On-Site emergency response time 3 Hours 3 Hours 1-2 Hours 1 Hour or Less

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee

Procedure Manual. Number: A6Hx2-8.01a. Title: College Network and Software Usage by Employees. Policy Number: 6Hx of 21

BACKUP STRATEGY AND DISASTER RECOVERY POLICY STATEMENT

Windows 7, Enterprise Desktop Support Technician

User Guide. CTERA Agent. August 2011 Version 3.0

Windows 7, Enterprise Desktop Support Technician Course 50331: 5 days; Instructor-led

Version: 2.0. Effective From: 28/11/2014

Windows 2000 Security Configuration Guide

VERITAS Backup Exec TM 10.0 for Windows Servers

System 800xA. Automated Installation. Power and productivity for a better world TM. System Version 5.1

Sophos Enterprise Console Help. Product version: 5.1 Document date: June 2012

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

Sage 200 Web Time & Expenses Guide

How To Protect A Hampden County Hmis From Being Hacked

Cybersecurity Health Check At A Glance

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

MSP Service Matrix. Servers

Chapter 8: Security Measures Test your knowledge

NHSnet SyOP 9.2 NHSnet Portable Security Policy V1. NHSnet : PORTABLE COMPUTER SECURITY POLICY. 9.2 Introduction

4 Backing Up and Restoring System Software

Lab - Dual Boot - Vista & Windows XP

VERITAS Backup Exec 9.1 for Windows Servers Quick Installation Guide

Virto Password Reset Web Part for SharePoint. Release Installation and User Guide

FMCS SECURE HOSTING GUIDE

Virtualization and Windows 7

WhatsUp Gold v16.1 Installation and Configuration Guide

A+ Guide to Managing and Maintaining Your PC, 7e. Chapter 16 Fixing Windows Problems

"Charting the Course to Your Success!" MOC D Windows 7 Enterprise Desktop Support Technician Course Summary

Section 12 MUST BE COMPLETED BY: 4/22

Use of Exchange Mail and Diary Service Code of Practice

NETWRIX IDENTITY MANAGEMENT SUITE

Network and Workstation Acceptable Use Policy

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

Chapter 1 Scenario 1: Acme Corporation

Transcription:

Microsoft Windows Client Security Policy Version 2.1 POL 033

Ownership Policy Owner: Information Security Manager Revision History Next Review Date: 2 nd April 2015 Approvals This document requires the approval of the following: Name Title Date of Approval Version Information Committee Systems 21 st December 2012 0.1 Michael Brines LNI Solution Owner 5 th September 2013 1.0 E2 Programme Board ISC Distribution Name Title Date of Issue Version ISC Members 17 th December 2012 1.0 E2 Programme Board 12 th November 2013 1.0 E2 Programme Board 6 th February 2014 2.0 ISC Members 18 th March 2014 2.1 Version History Date Version Changed by Change Details 21 st December 2012 0.1 Initial copy from customer 4 th June 2013 0.2 Inderjit Birak 25 th June 2013 0.3 Inderjit Birak 5 th September 2103 1.0 Michael Brines 16 th January 2014 1.1 Project Board 10 th March 2014 2.1 Jamie Aiken Updated to reflect new service and contract being delivered by Fujitsu Updated following review by Solution Owner Definitive version approved Updated to LNI e2 standards Minor changes suggested by SMT Not Protectively Marked Page 2 of 7 e2 Project

1. Introduction This document forms part of the suite of Security Policy documents for Libraries NI. The Libraries NI environment provides IT services to all Library locations in Northern Ireland. The Authority will take appropriate steps to protect the IT environment from threats, including but not limited to unauthorised access, computer viruses, violation of privacy and interruption to service. 2. Objective of Policy This document lays down the minimum-security standard applicable to Microsoft Windows based PCs, supplied by Libraries NI and operating within Library sites across Northern Ireland. It is suggested that the statements and recommendations laid down in this standard are similarly applied to both the corporate and public devices, for which ongoing responsibility lies with the Authority. Some systems in particularly high-risk environments may need to take additional security steps beyond those prescribed in this document. This may include, but is not limited to, ongoing anti-virus provision. 3. Policy The standards and recommendations laid down in this section should be adhered to for client PCs running Microsoft Windows operating systems. 3.1 Directory Services 3.1.2 Security domain boundaries Microsoft Windows client PCs will have computer accounts created in the Active Directory during the client build process. 3.2 Hardware Configuration BIOS passwords BIOS passwords shall be used to prevent unauthorised access to the BIOS, on client machines in Library sites. This helps prevent unauthorised alteration of the configuration of the machines. Boot sequence Once a client has been installed, it should always boot from the hard drive first. The boot order will be protected by the BIOS password set-up, as specified above. Control Statement: All Windows clients shall be set to attempt to boot first from hard disk, then CD-ROM or other devices. Action after outage BIOS configuration parameters allow a choice of actions following system outages such as power failures and system crashes. An important consideration is a power outage in out of hours and so for this and other reasons, client PCs should not be set to reboot automatically after an outage. All Windows clients should be set not to reboot automatically after any outage. Not Protectively Marked Page 3 of 7 e2 Project

3.3 System Software Software upgrades and installation All Windows clients shall be installed to a standard build. This minimises the effort subsequently required to support individual systems. Deviations from the standard build should be documented and justified. Control Statement: Windows clients shall be installed to a standard build. Control Statement: Deviations from the standard build shall be documented. Control Statement: During installation, the Windows time zone shall be set to the appropriate local setting, and the Automatically adjust clock for daylight saving changes shall be selected. Control Statement: During installation, the Windows Regional Settings shall be set to the appropriate local setting. Control Statement: During installation, the Windows client PCs shall be configured to use a suitable automatic time source that is synchronised to the regional time. Control Statement: Corporate user PCs, workstations and where possible mobile devices, will be configured to automatically lock after a preconfigured period of time to prevent unauthorised use. Control Statement: Public Access Terminals (PATs) PCs will automatically logout at the end of a session and Deep Freeze will clear session data. Control Statement: The system shall require that the Identification and Authentication process is repeated to unlock the device before work can be continued. Control Statement: A warning screen, which is displayed prior to log-on at PCs and workstations, will warn the reader that unauthorised access to systems may result in disciplinary or legal action being taken. Control statement: The screens of workstations to 'blank' out after a period of inactivity. Control Statement: A notice to be displayed indicating that only authorised users are allowed access. Control Statement: Only data input fields required for log-on purposes to be displayed. Control Statement: No information, other than a log-on prompt, on the log-on screen. Post-installation procedures Control Statement: Documentation shall be produced and maintained on the configuration of the Windows client standard build for library sites. This documentation shall include a description of the configuration of Windows operating system as well as a list of the services and applications that have been installed. Control Statement: Anti-virus software shall run on all Window.s clients, and the virus signatures shall be kept up-to-date automatically. Not Protectively Marked Page 4 of 7 e2 Project

Changes to system software Critical updates shall be applied in a timely manner to all Windows clients. Control Statement: All changes to system software shall be made in compliance with Change Management Procedures. Control Statement: The IT Team will test all patches before they are applied to operational clients. Control Statement: The Information Security Manager shall liaise with suppliers to identify patches and updates on a regular basis. Control Statement: All applicable critical patches will be installed on all systems within a timeframe consistent to the effort required by the supplier to apply such patches. System configuration parameters When changes are needed to system configuration parameters, care shall be exercised to avoid damaging the operation of the system. Control Statement: All changes to system parameters shall be made in compliance with Change Management Procedures Unauthorised software In order to prevent disruption to service from such software, the following steps are required. Control Statement: Freeware, shareware and other unauthorised software must not be installed on systems, except with the approval of the Information Security Manager and adequate testing is performed Control Statement: In order to comply with legal requirements, only licensed software will be installed on client PCs Control Statement: Original licence documents must be retained and stored in a safe place by the Authority Control Statement: An inventory of software licences to be maintained Where is possible configuration management (manual or automated) is required to ensure that the system is checked for unauthorised software. 3.4 User Authorisation Account management Local accounts with administrative equivalent permissions will only be provided on client PCs for maintenance operation. Ordinary users will only log in to client machines via domain accounts. Where corporate desktops are shared by users, each user must log in separately for their own individual session. Where appropriate application sessions are not to be shared by users. Not Protectively Marked Page 5 of 7 e2 Project

Account creation Local administrative accounts will be created on all Client machines for maintenance purposes only. Individual local accounts will not be provided. Administrative rights will be restricted to authorised personal only All corporate user accounts will be domain accounts. Account passwords Strong passwords will be set on all local administrative accounts on client machines. The passwords for local administrative accounts shall comply with the requirements for privileged accounts defined in the Server Security Standard, with regard to length and complexity. Password expiry will not be applied to local administrative accounts on client machines. User passwords shall comply with the following: Control Statement: All passwords must contain at least 8 characters. Control Statement: All password to include alphanumeric text Control Statement: Password maximum age must be set to 90 days Control Statement: Passwords shall not be visible in clear text Control Statement: Password history must be kept up to 24 previous passwords Control Statement: Password minimum age must be set to 2 days Employees must be given security awareness training, to guide them on how to follow good security practice in the selection and use of passwords; Anonymous accounts Anonymous accounts must not be used on client PCs. The Guest account shall be disabled on all Microsoft Windows client PCs this is the default setting. Log on The number of false log-on attempts to be limited to, at most, three attempts Internet browsing software All users have access to application software to enable them to access the World Wide Web. Software of this type can cache username and password information. This information should be stored within each users roaming profile so that it is not available to other users of a machine. Not Protectively Marked Page 6 of 7 e2 Project

Removable media Care should be taken when data is transferred to removable media, to ensure that the protection of the data is maintained. Control Statement: All removable media containing sensitive information shall be stored securely when not in use, to reduce risk of unauthorised access Windows will, by default, attempt to run software (often an installation program) from media inserted into a CD-ROM drive. This process might inadvertently install rogue software on the system, and shall therefore be avoided. Control Statement: The Autorun feature shall be disabled on all CD-ROM and DVD drives 3.5 Backup and Recovery Operating system backups In general, it is expected that Emergency Repair Diskettes will not be created for client machines. Instead, in the event that the operating system becomes corrupted, the machine will be re-imaged to the original standard build by the supplier. Data backups No backups are required of client machines, since they do not hold important user files. Asset management All clients, laptops, desktops are to be issued asset tags and to be listed in asset inventories with documented owners assigned. 4. Waiver from Policy Request for a waiver from this Information Policy must be address to the Information Security Manager. The request for a waiver must describe why a waiver is required, justification why the policy cannot be adhered to, and a plan to bring the application or system into compliance in the future. The Information Security Manager will discuss waiver requests with senior management, as appropriate. Waivers can be granted by the Information Security Manager for a period not exceeding one year, but may be extended annually if the justification still applies. 5. Monitoring and Review The Information Security Manager is responsible for monitoring and reviewing this policy and will conduct a formal review of the efficiency and effectiveness of its application on an annual basis. 6. Violations Any violations of this security policy should be brought to the attention of the Information Security Manager, who will work with the appropriate individuals to rectify the problem. Not Protectively Marked Page 7 of 7 e2 Project

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information