SLAC Computer Security		Search SLAC
SLAC Home | Computing Home | Computing Outages | Help

Software Use Policies

General Guidelines

Examples of prohibited software:

• Software versions no longer supported by the vendor (example: Microsoft Windows 98 and ME or MacOS 10.3);
  • A more extensive list of Windows software is maintained here.
  • MacOS supported version list maintained here.
• BETA software which is not updated for security vulnerabilities by the vendor;
• Software that has known vulnerabilities (example: RealVNC 4.1).
• Unauthorized (by SLAC Computer Security) password/license cracking software.

Software running on SLAC systems must be run in a way that does not open SLAC systems to security exposures, or that causes problems to the rest of the community. Software which does not meet these requirements should not be installed unless SLAC Computer Security was consulted first. In addition, if it is found that software is running on the SLAC network that does not meet these requirements the software needs to be removed, or mitigations must be applied after discussions with SLAC Computer Security.

Maintain Computer Software to Retain Connectivity

It is expected that all computers connected to the SLAC network are maintained properly. In the area of software maintenance the following guidelines should help:

• Automated Operating System patching must be enabled (e.g. SCCS Taylor for centrally maintained Unix Solaris and Linux; SLAC Windows domain managed patching; vendor supplied automatic OS patching tools);
  • In the cases where automated patching is not appropriate (e.g. critical Windows servers) then the System Administrator is expected to apply all software upgrades in a timely manner.
  • Critical Unix systems can be easily accommodated. Contact unix-admin for more info.
• Anti-Virus Software must be installed and maintained for Windows systems;
• Layered products and Operating System must be kept at a level which is still receiving security updates from vendor.

Any computer which is not kept up to the minimum standards (either automatically or manually) may be required to be shutdown if it cannot be upgraded, firewalled, or otherwise segregated from the rest of the SLAC network. Contact SLAC Computer Security if this is impossible.

If the documented user and/or administrator cannot be reached and the system is considered readily exploitable then SLAC Computer Security may router block the system. If it is determined the system was online, and exploitable, for too long (time dependent on issues involved) then the system will need to be wiped and re-installed.

The SecurityFocus web site is a good tool for searching for product vulnerabilities.

Testing New Windows Operating Systems

The standard practice is to install new Windows operating systems on the dev-test network to ensure they do not cause problems with the production Windows infrastructure. We need to ensure to the best of our abilities that the new software will not introduce any harmful security/stability issues to our production systems. For assistance with testing any new Windows software please contact: SCCS Windows Infrastructure Team.