The Columbia Law School Information Technology (CLS IT) department maintains policies about the use and security of its systems in the interests of protecting its users and ensuring the reliability of mission critical systems. All users of our facilities are expected to be familiar with these policies. Violations of CLS IT policies can lead to the suspension of computer account(s) pending investigation of circumstances. Serious violations of CLS IT policy will be referred directly to the appropriate academic or outside authorities.
Unauthorized use of University computing facilities can be a criminal offense. The penalties may be as severe as suspension or dismissal of enrollment, termination of employment from the University, and/or criminal prosecution by appropriate law enforcement agencies. Click here to read the entire policy.
On any operating system, on any platform, the same basic outline to creating a secure environment applies. A three rule guideline to security might be distilled to...
Turn off any services you do not need (disable non-encrypted services in favor of encrypted alternatives wherever possible).
Patch and properly configure the services you do need (enforce the proper permissions and ACLs - access control lists ).
Enforce the use of strong passwords.
To determine the services running on a machine, a port scan will display any open/new/unknown services running on the machine. An excellent, and free, port scanner is NMAP (found at http://www.insecure.org), which runs on many OSes including Windows, Macintosh, Linux, Solaris and other flavors of UNIX.
Once you have run the port scan against the target machine, and determined what ports are open - and should stay that way - versus those which should be closed, the process of hardening the machine can begin. What ports a machine should have open depends on what services it provides, e.g. a web server might not need to have the email services turned on but should have a web service running, a database server might not need to have an FTP service enabled but may need to have an SSH (Secure Shell) service running, a file server might not need to have a telnet service running but may need to have print services enabled.
There are lots of security courses lead by many of the security groups already mentioned herein, IT would recommend that any admin take the necessary basic security courses offered by any of the following groups, Global Knowledge http://www.globalknowledge.com, The Learning Tree http://www.thelearningtree.com, and The SANS group http://www.sans.org which also hosts several conferences annually.
Back to top
One-on-one configuration audit and overlapping of services.
IT is committed to helping out any way we can. We are eager to help make the systems at CLS as secure as possible and will be available to advise system administrators in the process of hardening the machines they maintain. The best advice would be to follow the security information contained herein and to reach out to us if you run into a snag, need clarification, could use some assistance in navigating some of the security tools, etc. We are all in this together, and IT is here to help and lend a hand.
Some final notes... for any compromised system, both CLS IT and CUIT require that appropriate measures be taken before the machine is reintroduced to the network. These measures may include, but are not limited to disabling/closing unneeded ports/services, applying security patches, employing anti-viral software and possibly personal fire-walling software, and in extreme cases of administrator/root level compromises, the reformatting of the system drives and re-installation of the operating system. Should any machine under your purview be compromised, IT will be available to lend advice and a hand in getting the system back up to par. In any event, after you have had a chance to gain more information from your investigations, just give us a heads up so we can move forward with removing any outstanding filters on our (or CUIT) systems. And, please let us know the details of the resolution so we can pass this data upstream as well should it be requested of us.
Copyright Information for Network Users at Columbia
You are responsible for what you do on the network. As a member of the Columbia community, you have access to the Internet and World Wide Web--from a departmental or personal computer or your CUNIX account. We hope that you will take advantage of this privilege, but please remember that you are responsible for what you do including complying with copyright law -- whether using the Web to read or publish pages or using file-sharing programs like Kazaa, Gnutella, IRC, FTP, or others.
