25 November 1998
Usually, Windows NT operating system and applications have been run in a single-user mode. Running Windows NT in a multi-user mode presents new challenges to system and application configurations, to security, and to software licensing. When used in conjunction with Citrix MetaFrame software, there are many functions for the WTS including allowing non-Windows operating systems to run Windows-based applications, and remote access capabilities.
Current and future facilities that SCS is setting up allow users to run common and specialized Windows-based applications. Those departments whose requirements cannot be met by the SCS facilities and need to set up department WTS must obtain prior approval from the Security Committee and meet reasonable guidelines. Such registered WTS servers must be carefully administered by trained personnel, otherwise crackers may exploit weaknesses to gain unauthorized access to SLAC computers, networks, and/or file systems. In the worst case this could result in the release of sensitive information, modification or destruction of data stored on SLAC's computers, or even damage to apparatus controlled by these computers.
Government laboratories such as SLAC have proven to be tempting targets for crackers. In past intrusions into SLAC's network from the Internet resulted in SLAC having to sever its connection to the Internet for several days, inconveniencing many remote collaborators who were prevented from performing their normal work at SLAC. In addition considerable time had to be expended checking for and removing effects of the break-in and beefing up security to prevent similar intrusions in the future. It is to everyone's benefit to take reasonable precautions to prevent such intrusions taking place in the future.
The policies described below have been developed to minimize the exposure to WTS break-ins with an acceptable expenditure of effort/resources, while maintaining an environment in which the potentials of WTS can be effectively exploited by SLAC groups. It must be understood that there is an implicit conflict between the requirements of security, the desire to exploit new technology for SLAC's research and administrative needs, and the limited manpower to support new technologies. Even with the implementation of the policies described here, it is not possible to completely assure the security of SLAC's network environment. The level of security described here is thought to be adequate for most of SLAC's current requirements, however it is probably not adequate for applications which deal with highly sensitive information or where human safety may be affected.
Policies: In order to provide reasonable security and availability:
SCS is providing support for a Windows Terminal Server farm, and it is recommended that departments requiring use of common and specialized Windows-based applications use this farm. Departments will be responsible for the cost of software licenses. This should minimize the demand for non-SCS Windows Terminal Servers.
Past versions of multi-user NT systems (e.g., beta-Hydra, NTrigue, WinFrame) are prohibited, unless upgrading is technically unfeasible. Since these past versions are all based on less secure configurations that are not supported, they should be upgraded to Windows Terminal Server and MetaFrame.
The Remote Desktop Protocol (RDP) used by Microsoft Windows Terminal Server is prohibited. Instead, the more robust Independent Computing Architecture (ICA) protocol is to be used by upgrading servers to use Citrix MetaFrame.
Requirements for additional Windows Terminal Servers should be documented and brought to the Computer Security Committee for discussion and approval. Guidelines for appropriateness will need to be worked out based on experience. No WTS should be set up at SLAC without review and approval by the Computer Security Committee.
Any SLAC Windows Terminal Servers will be maintained by staff who:
- satisfy the Security Committee that they have the appropriate qualifications either through attending classes or through equivalent experience. Classes will be 50% subsidized by SCS. The classes should cover the basics of setting up multi-user remote shell to NT for WTS and MetaFrame, and the tuning of applications which may not be designed for the multi-user mode. Sign up for class can be done through the SCS NT System Administrators.
- review their systems with the SCS NT System Administrators before going production,
- keep the operating system at a level supported by the vendor;
- keep current with security patches, evaluate and expeditiously apply as appropriate;
- have a thorough understanding of the vendor's system, and particularly those aspects which affect security;
- ensure that the WTS can be used only by persons authorized to use SLAC's computer and network resources;
- ensure that the server implements the same access control policies for information consistent with SLAC computing security;
- ensure the administrator of the server, or a backup administrator, will be available during working hours to expeditiously resolve problems;
- keep and make available a current list of phone numbers where administrators and backup administrators may be reached in a critical situation outside normal hours;
- provide the ability to audit use via logs and to monitor exceptions;
- ensure that the persons using the WTS have the proper software licensing. SLAC and the NT administrators have the legal obligation to make sure that the operating system and software licensing meets the requirements of the individual vendors. For operating system, each client device accessing the WTS will need a Windows NT Workstation license and a Windows NT Server Client Access License (CAL).
If an unauthorized Windows Terminal Server (or other multi-user NT systems) is discovered, an attempt will be made to contact the owner(s) via phone and Email. If successful the owner will be appraised of the policies on Windows Terminal Servers and requested to disable the server pending authorization. If the attempt to reach the owner(s) is unsuccessful or the user does not disable the server, then measures will be undertaken to limit the effect (e.g. the server will be barred from the network pending authorization), and the Computer Security Committee will be notified.
SCS NT System Administrators, Bob Cowles