[unisog] Policy for student owned servers in the ResNet

Gary Flynn flynngn at jmu.edu
Fri Mar 26 01:08:15 GMT 2004


Stephen Bernard wrote:

> I am interested to know what institutions allow/require that students 
> register systems which will act as servers in the residence networks, 
> and how that is managed. The most common policies that I've found so 
> far are either completely open or no serving is allowed at all from 
> the residence networks. I think that both of these approaches are 
> dangerous so I'm interested to learn about the approach and reasoning 
> used by others who have taken the registration tack. 

Hi Steve,

We blocked servers on the student network last summer as a precaution
to prevent exploitation of the Windows DCOM defect and resultant
secondary infections and backdoors. With the follow-up Messenger
defect and the flood of virulent, email borne worms, we decided to
continue the block.

We make exceptions for academic or business needs. To date, we have
had less than a dozen requests for exceptions so haven't needed a
complicated process. When we get a request, I request the output of
MBSA on Windows computers and perform a network vulnerability
scan on the computer. I then limit the incoming access to only those
services requested. This manual process obviously wouldn't scale with
more requests but its adequate for now.

I'm looking at ways it might be possible to efficiently  extend such a 
policy
to "sensitive desktops" throughout campus and maybe even further.
I remember reading about Texas A&M having such a system using Tiger
scripts and Drawbridge many years ago.




More information about the unisog mailing list