Most computers on the University network are personal computers, typically Macintosh or Windows machines used only by the individuals sitting at their keyboards. What follows does not apply to these. However, there are a great many network-accessible computers that serve multiple users, with varying degrees of specificity and restriction. These include many departmental mail servers. Currently most multi-user computers at the University run some version of Unix (Solaris, Linux, AIX, Irix, and so forth), although some run other operating systems. Under the University's Eligibility and Acceptable Use Policy and NSIT's evolving security standards for the campus network, certain restrictions apply to multi-user computers. I write to remind you of this, and to ask that you pass the word to faculty, staff, graduate students, system administrators, and others who might be affected.

Two general rules apply to multi-user computers.

First, with the specific exception that follows, multi-user computers on the campus network may not grant accounts or other access to individuals ineligible for University network services. (Eligibility criteria appear in the Eligibility and Acceptable Use Policy, http://nsit.uchicago.edu/eaup.) Ineligible users may not have uchicago.edu email addresses, or otherwise identify themselves as members of the University community. This means that in general multi-user computers, including mail servers, may grant access only to the current faculty, students, and staff of the University. Giving outsiders telnet or other forms of shell access to a multi-user computer generally violates this first rule, since users with such unrestricted access generally may reach and use other machines and resources on the campus network. Giving outsiders email accounts violates its too, since it permits outsiders to identify themselves as members of the University community. Machines that provide such access can expect to be disconnected from the network when they come to NSIT's attention.

The exception is this: if a multi-user machine grants access only to its own files or services, provides no mechanism for users to reach other computers or resources elsewhere on the campus network, and does not permit outsiders to identify themselves as members of the University community, then it may provide access to individuals otherwise ineligible for University network access without violating University policy. Running basic Web servers, file servers, mailing lists, and similar services generally does not violate the first rule, therefore, even if some -- or most -- users are ineligible for University network access.

Alumni typically do not qualify for University network privileges, and so access for them – such as the special mail services provided by the Alumni Association and the Graduate School of Business – must be managed carefully. (This comes under the "Special Users" category in the eligibility policy.) Simply allowing alumni to keep full accounts on departmental servers fails this test.

Second, certain critical multi-user machines must, over the next year or so, implement mechanisms for secure authentication (that is, for requesting and confirming usernames and passwords) that meet NSIT's standards for network security. These standards basically require that unencrypted passwords should not traverse the network. A machine qualifies as "critical" if it serves a substantial number of users, authenticates users frequently, has a large number of off-campus connections, contains sensitive or valuable data, or runs applications important to administration, research, or instruction. This rule applies even if all users are University-eligible, or if the dominant use of the machine is for email service. Various mechanisms for secure authentication are available, the most common being encryption (such as "ssh", a security mechanism for remote logins, and "SSL", a security mechanism for Web-based connections) and the Kerberos system being implemented for NSIT's central services and underlying the next version of Windows NT.

As you may know, over the past year the University has experienced an enormous number of scans searching our network for under-secured machines. These scans have led to many compromised machines, which in turn have been used to capture indivduals' usernames and passwords and, in some cases, to use those to compromise other machines or to mount so-called "denial of service" attacks. The University is especially vulnerable to these problems because it has not fully implemented secure authentication throughout its operations. Although implementing this second rule will require much work and dislocation for system administrators and users alike, it is essential if our data network is to keep working.

If you have questions about these rules for multi-user machines, you certainly can communicate with me. In many cases, however, it makes more sense for system administrators to communicate directly with NSIT's network-security group, which can be reached at <network-security@uchicago.edu>, 773-702-CERT, or http://security.uchicago.edu/.
 

5801 South Ellis Avenue #605, Chicago IL 60637 773-702-2828 (voice), 773-834-2829 (fax) gjackson@uchicago.edu http://whodunit.uchicago.edu/gj/

Networking Services & Information Technologies