University Information Systems University Information Systems
Home | Login | For CAIT Staff | About UIS
University Information Systems
Printer Friendly Page Printer Friendly Page
University information systems
 About Us
 Desktop LAN Support (DLS)
 Help Desk
 User Accounts
 Tools, Training & Tips
 Policies & Procedures
 IT Security
 Radcliffe Fellows
 ICE! Email & Calendar
 NSS Service Portfolio &
   Rates
 Project ICE! Email &
   Calendar System
 Contact Us
What's New What's new
Support Services
ICE! Calendar-Jump Start Guide
ICE! Calendar-Online Tutorial
PeopleSoft
ResNet Registration
How to find MAC address and IP for a Mac (Apple) User
11/19 Enter the Thanksgiving Holiday Raffle - Nov. 26th-29th!
11/19 HOLIDAY PROMO! Free Printer and Free Apple T-shirt* with Purchase of a Mac
11/19 Closed on Thanksgiving Holiday, November 26th and 27th


DLS Support Services and DLS Help Desk Policies for DLS Clients

Remote Access – Technical Policy and Practices – Central Administration
DLS Support Services and DLS Help Desk
Procurement Policy
Computer Equipment
Software
Bit9 Parity
Desktop Backup
Peer-to-Peer Software
Software Update Server (SUS)
Equipment for Presentations
Computer Training
Passwords
Virus Protection
Home Personal Computer Recommendations
Microsoft Vista Support
Support of Microsoft Office 2007
PDA Handheld Device Policy
PGP Whole Disk Encryption Policy
Non-Harvard Owned Computers
Support Services Workstation/Laptop Policy
University Security Mandates

Remote Access – Technical Policy and Practices – Central Administration

The policy documented herein, aims to establish a structure; standardize expectations; and formally acknowledge support of authorized remote access to Harvard information in a manner that is cost-effective, and minimizes the risk of information loss. Individual employees and departments need to acknowledge ownership and responsibility for the Harvard information used on remote devices.

Policy and Practice - Originally published in October 2005; revised as of June 1, 2009. This policy and practice will be revisited and revised on a periodic basis, to reflect material changes in laws and regulations, compliance requirements, new technologies, and changes in employment and management practices that impacts the Central Administration at Harvard University.
  1. Overall considerations
  2. For remote access to central web-enabled services
  3. For authorized staff where remote access to central IT services and applications is a job requirement, or part of an approved tele-commuting or work-at-home arrangement (cost information)

Back to top

DLS Support Services and DLS Help Desk

The Desktop and LAN Support Services group of Harvard's University Information Systems provides technology support to departments in most of Central Administration and throughout other Harvard departments and schools. DLS clients may contact the DLS Help Desk for assistance with hardware or software issues by calling 617-495-8411, or via email to dls@harvard.edu.

The DLS Help Desk business hours are:

  • Monday through Thursday from 7:30 a.m. to 8:00 p.m.
  • Friday from 7:30 a.m. to 6:00 p.m.
  • If you need immediate assistance after 6:00 pm, please call 617.495.8411,rather than emailing your issue.

The DLS Help Desk will attempt to resolve your problem over the phone. If your call requires a DLS technician to come to your location, every effort is made to respond to non-urgent calls within 4 hours of the ticket being opened by the DLS Help Desk.

If you are having an urgent issue, a DLS technician will arrive on-site to assist you. An urgent issue is any problem with your computer that impedes your job function. Urgent issues include the computer keeps rebooting, or the monitor has no power.

Back to top

Procurement Policy and Life Cycle Management

DLS manages equipment on a 3-year cycle. Inventory is reviewed annually and replaced as needed. If necessary, purchases outside of either the standard replacement cycle, or the CAIT Desktop Standards listed below, will be reviewed by the local department manager and the DLS Support Services Manager prior to any equipment being ordered.

All requests for purchasing new computer equipment or software must be sent from the local department manager in writing via email to dls@harvard.edu. The request should include the billing code, any known hardware specifications for computer equipment and the name of the any standard or non-standard software needed.

At the end of the 3-year life cycle, equipment is returned to the vendor/leasing company or disposed of at the UOS Recycling Center. Before recycling or returning equipment to the vendor or leasing company, all data is completely deleted and irretrievable.

Support Services does not endorse or recommend that client departments engage in selling old computer equipment to employees and will not support such equipment in any capacity.

Back to top

Computer Equipment

IBM is the preferred vendor for the University. Please refer to the CAIT desktop standards document at http://www.uis.harvard.edu/support_services/standards9.09.pdf for more information on the IBM computers used throughout DLS Client Departments.

All Harvard staff members may also purchase IBM computers at the Harvard price for personal use. If you would like more information on personal purchases through IBM, please visit:

http://www.uis.harvard.edu/technology_services/

Back to top

Software

A Standard Software Suite is installed on all new DLS client computers. It includes:

  • Adobe Acrobat Reader (PDF file reader)
  • Microsoft Outlook 2003
  • MeetingMaker 7.5 (HUL only)
  • Microsoft Internet Explorer 6.0
  • Microsoft Office 2003 (includes Access, Excel, PowerPoint, and Word)
  • Mozilla Firefox
  • Symantec Anti-Virus
  • Windows XP

Non-standard software is installed upon request and subject to the approval of the local department manager and the DLS Support Services Manager. Support for non-standard software is limited and is given a best effort attempt to help solve a client issue.

Note: All software requires that a license be purchased for each computer on which it is installed. All software is to be installed by Support Services Technicians and not end-users.

Back to top

Bit9 Parity

Introduction
Over the next few months, DLS will be rolling out a new software package designed to enforce Central Administration’s Computer Use Policy. The software is called Parity and it is from a company called Bit9. Parity is designed to perform several functions:

  • Prevent unauthorized or unlicensed software from being installed on Harvard-owned computer systems.
  • Prevent the execution of zero-day exploits, trojans, worms, and viruses on Windows computers.
  • Maintain the integrity of the DLS supported and tested base image that is preconfigured on Harvard owned computer systems

Parity software will be installed in one of two ways; either a DLS tech will visit to manually install, or is pre-installed when a user receives a new computer system. Once installed, Parity runs in the background similar to anti-virus and is typically transparent to the end user. It has two different modes:

  • The primary mode that most users will run in is called “Lockdown.” This mode will prevent any additional software from running on a computer system without prior DLS approval on the Parity management server.
  • At DLS’s discretion in coordination with departments, some users will have systems that will run in the “Block and Ask” mode. This mode differs in that it will initially prevent any additional software from running on a computer system, but will allow a user to click OK to allow the software to run. For example, this mode will be used on Developer workstations where additional software may need to be installed for testing purposes e.g. Firefox web browser and extensions.
  • Finally, in the event that DLS is aware of potential threats to Windows workstations where users may be caught off guard by a malicious program, we can remotely switch all users into the “Lockdown” mode until the threat has passed.

The only time users will see any evidence of Parity software running on their systems is when an unknown application attempts to run. Parity will catch the application before it executes and warn the user with a pop-up. The pop-up will look similar to this:

Upon receiving this pop-up message users can take one of the following actions:

  • Know that they were attempting to install an unauthorized application and stop.
  • Contact the Help Desk if they are running a work related application and need assistance.

If you have any questions on Bit9 Parity, please contact the DLS Help Desk at 617-495-8411.

Bit9 Parity Frequently Asked Questions

  • What is application whitelisting?
    Wikipedia: "An emerging approach in combating viruses and malware is to whitelist software which is considered safe to run, blocking all others. Some deem this as superior to the standard anti-virus approach of blocking/removing known harmful software (essentially blacklisting), as the standard approach generally means that exploits are already in the wild."
  • How does it differ from standard Anti-Virus methods?
    Standard AV software depends on “definitions” for KNOWN malware. In other words “Blacklisting” software. Application Whitelisting blocks ANY software not specifically approved beforehand, both safe and dangerous.
  • What if Parity blocks something I need?
    Call the DLS Helpdesk at 617-495-8411. Give as much information as possible to the tech, what software your running, business need etc. As long as it is approved changes can be made on the Parity system. The change will take effect if the system is on the campus network.
  • Will Parity slow down my system?
    The only time Parity should be consuming any significant resources is during its 30 minute initialization after install. If you suspect that Parity is slowing down your system after this time you should report it to the DLS Helpdesk at 617-495-8411.

Back to top

Desktop Backup

For a fee, DLS clients can have the Connected DataProtector Backup Client installed onto the computer hard drive by DLS technicians.

Connected DataProtector is a backup software application that is set to run automatically every day on your computer in the background eliminating the need to run a manual backup. This service is not available on the Macintosh platform.

If you would like more information on Connected DataProtector Backup, please contact the DLS Help Desk at 617-495-8411, or via email at dls@harvard.edu.

If you are already a user, please click here to view an Adobe Acrobat file of some basic information about the Connected DataProtector Backup Client.

Back to top

Peer-to-Peer Software

DLS does not endorse, support, or install any Peer-to-Peer software such as Skype, Kazaa, Morpheus, etc., on the basis that these types of applications effectively circumvent most enterprise security architectures in the same way that a virus or exploit does.

Back to top

Software Update Server (SUS)

The process for distributing monthly SUS updates is:

  • SUS testers receive patches on the second Tuesday of the month
  • DLS clients receive patches on the third Monday of the month
  • Patches are sent automatically to all DLS computers on the network
  • DLS clients should log off, but leave computers powered on to receive patches sent at random intervals from the SUS server during the monthly 4-day patch period
  • Some DLS clients will see a either a blue globe or a yellow shield in lower right system tray on the desktop screen
    • Click on the Blue Globe to manually install patches
    • Restart, if prompted, to complete install

For most DLS clients on Microsoft Windows XP operating system, all the patches will automatically be sent to and installed on your computer if it is powered on. Most updates are installed in the background requiring no reboot.

For some DLS clients on Microsoft Windows 2000 and XP operating systems, the patches will need to be manually installed because of the way the computers are configured.

During the monthly 4 day patch period, all DLS computers must be powered on to receive patches sent at random intervals from the SUS server. All DLS clients should choose Log Off instead of Shut Down from the Start Menu on your computer when leaving at the end of the 4 business days patches are sent each month. Updates cannot be installed when the computer is off, or is not on the network.

On all other non-patching period days, DLS clients are encouraged to turn off their computers at the end of the workday to assist Harvard University in saving energy and reducing greenhouse gas emissions.

If you need help with installing the monthly updates, or notice any problems after installing the updates, please call the DLS Help Desk at 617-495-8411.

Back to top

Equipment for Presentations

24-hour advance notice is appreciated for help with the setup of presentation equipment, e.g. connecting a laptop to a data projector. If a non-DLS supported laptop is to be used, it must be checked well in advance of the presentation for the most current security patches and virus definitions. Computers that do not meet these criteria will not be allowed on the Harvard network.

Note: Rental of projectors and laptops is not provided through the DLS Help Desk. DLS clients should check within their department for any department-owned presentation equipment.

Back to top

Computer Training

For a variety of courses, seminars, and workshops, please see the listing on the Harvard University Center for Workplace Development's website at:

http://harvie.harvard.edu/learning/cwd/

Back to top

Passwords

All DLS clients are required to change network passwords yearly. Users will receive notification of expiration. Users who wait to change passwords will disable the network account.

Passwords should:

  • Be a minimum of 9 characters long.
  • Use a complex character set comprised of alphanumeric and special character sequences, e.g. ca23tlr#!.
  • Use a passphrase (ex. myD0grulz).

Passwords should not:

  • Be the same password used within the past several password changes.
  • Be shared with anyone.
  • Be written down or recorded.
  • Include any part of your login name.
  • Include common words, notable dates, or predictable numeric sequences
  • Use foreign words, colloquial terms, or book/movie terms.

Back to top

Virus Protection

All DLS client computers are automatically protected from viruses by Symantec Norton Anti-Virus. New computers are configured to automatically receive new virus definition updates every 6 hours as the vendor makes them available.

Back to top

Home Personal Computer Recommendations

Users should check their home personal computers for critical operating system and application updates to be sure that personal computers at home do not become infected.

All Microsoft operating systems and application updates are available at the Microsoft site below:

http://windowsupdate.microsoft.com/

Home users should also be sure anti-virus software is installed on their home PCs. Online downloads and purchasing is available at the Symantec Norton Anti-Virus link below:

http://www.symantecstore.com/dr/v2/ec_Main.Entry?SP=10007&SID=27674&CID=0&DSP=0&CUR=840&PGRP=0&CACHE_ID=0

Back to top

Microsoft Vista Support

Microsoft has released a new desktop operating system (OS) called Vista. This OS is significantly different in look and feel from the current WindowsXP platform. At this time DLS is evaluating application compatibility, hardware, networking, licensing and support requirements of the Vista OS. Until DLS has fully assessed this new OS, Vista will not be supported or installed on DLS systems. Most importantly Vista uses Internet Explorer 7.x (IE7.x) as its browser which is not compatible with our current Oracle Enterprise applications.

Back to top

Support of Microsoft Office 2007

Microsoft Office 2007 suite was released on January 31, 2007 in several different variations. It’s release has introduced several changes and has a significantly different look and feel. Support Services (DLS) is in the ongoing process of assessing the application compatibility, licensing and support requirements of Office 2007. At this time, it has been determined that Vista does not satisfy these departmental support requirements. Two areas of concern exists: 1) a new file format introduced that is not compatible with older version of Office and 2) interoperability of the new Outlook client with Project ICE. As a result:

Windows Office 2007 is not a supported DLS departmental application and should not be purchased or installed.

Please contact DLS Support Services with any questions or concerns at dls@harvard.edu.

Back to top

PDA Handheld Device Policy

In conjunction with Project ICE!, DLS will only support Harvard-owned PDA devices. The standard PDA devices for CAIT will be reflected in the standards document at http://www.uis.harvard.edu/support_services/standards.pdf. Only Harvard Exchange email and calendar data will be configured on hand held devices. Outside providers such as Google, Hotmail, etc. are not permitted.

Device lock passwords are required on all PDA or handheld devices. PDA models which are controlled via Enterprise back-end server policies include BlackBerry and Treos. These devices will automatically enforce a device screen lock password. Failure to enter the correct password after multiple attempts will result in all data on the device being automatically deleted. The password must be at least 4 characters long and the device will automatically lock at a minimum of 20 minutes of inactivity.

CAIT users will have until December 31, 2007 to migrate to a standard PDA device. As of June 30, 2008, non-standard legacy PDA's will no longer be supported by DLS. The Harvard University Information Security and Privacy policies at http://www.security.harvard.edu apply to the use of PDA devices and information stored on and/or accessed through these devices. Staff should avoid storing confidential data on PDA devices.

Back to top

PGP Whole Disk Encryption Policy

UIS Support Services has begun a strategic initiative to protect data while it is stored on workstation hard disks, especially on laptops. Going forward, planned laptop replacements and upgrades will include PGP Whole Disk Encryption as part of the standard installation. In addition to this effort, DLS will be working with local managers to identify computers that routinely access confidential information and target them for encryption as well.

Why is the use of PGP Whole Disk Encryption important?

The Harvard University enterprise security policy specifies that disk encryption must be used to secure data. In particular, laptops and other mobile devices are at higher risk than desktops and should be secured first.
http://www.security.harvard.edu/tech_security/transporting.php
The use of PGP Whole Disk Encryption does not authorize users to handle confidential data in a fashion inconsistent with the security policy. At no point should confidential data be present on any device such as a laptop, desktop, portable disk drive or USB thumbdrive regardless of encryption. In the event of loss or theft of a computer while a computer is shutdown, drive encryption will protect against the loss of data.

What does PGP Whole Disk Encryption do?

PGP Whole Disk Encryption protects against data theft while the computer is powered off. It transparently locks down the entire contents of a laptop or desktop drive ensuring that while shutdown the data stored on those systems cannot be exposed to anyone in the event of loss of the machine. This encryption runs as a background process that is entirely transparent, automatically protecting valuable data, even in hidden and system files, without requiring the user to take additional steps.

How does PGP Whole Disk Encryption change how I use my computer?

PGP Whole Disk Encryption requires you to authenticate with your PGP Whole Disk Encryption passphrase when you turn on your computer, before Windows even starts. Once you have authenticated, on-the-fly decryption and encryption is enabled and your computer will continue with the normal startup process, which will look and behave exactly as before.

Do I have to remember a new passphrase in addition to my Windows login password?

No. The PGP Whole Disk Encryption login process replaces the need for you to log into Windows when you turn on your computer, and your Windows and PGP Whole Disk Encryption passphrases are the same. In the event you need to change your Windows password, or visa versa, PGP Whole Disk Encryption automatically synchronizes the passphrases in the background.

Does PGP Whole Disk Encryption affect how I use any of my applications? Will it affect my email?

No. While you are logged into your system, all applications, including email and other network software, run unaffected. The encryption/decryption is entirely transparent to application activity.

Can I still put my PGP Whole Disk Encryption–protected system into hibernation or standby modes?

Yes, PGP Whole Disk Encryption supports Windows hibernation and standby modes. When you bring your system out of hibernation, PGP Whole Disk Encryption will require you to authenticate before you can access Windows.

What platforms are supported?

Microsoft Windows XP.

Whom should I contact with further questions or for assistance?

For further information about the rollout and use of PGP Whole Disk Encryption, contact the UIS Helpdesk at 617-495-8411 or email to: dls@harvard.edu

Back to top

UIS/DLS Policy & Procedures for Support of Non-Harvard-Owned Computers

Policy

UIS/DLS will not provide support for any non-Harvard-owned computer. Additionally, UIS/DLS will not provide support which would allow a non-Harvard-owned computer to access to Harvard’s internal computing resources or networks, with the exception of Harvard wireless networks. Any exception to this policy requires approval from the Director and/or Manager of UIS/DLS.

If a member of UIS/DLS detects a non-Harvard-owned connected to any of Harvard’s internal networks, except Harvard wireless networks, it is their responsibility to bring the violation to the attention of the Director and/or Manager of UIS/DLS who will deal with the issue accordingly.

Overview

With stringent security policies in place which protect confidential Harvard data, it is extremely critical that UIS/DLS does not allow or facilitate access or transfer of said data to a non-Harvard-owned computer. With the enactment of several laws to protect the privacy of individuals' health (HIPPA), financial records (GLBA), and student records (FERPA), data confidentiality has become a legal concern.

Exceptions

If an exception is granted for access to internal computing resources or networks access, UIS/DLS will validate that the non-Harvard-owned computer has an enabled anti-virus program with the latest virus definition files and is free of any viruses, malware, or spyware prior to connecting the computer to the internal network. This will require that UIS/DLS performs the following steps:

  1. Confirm that virus definition files are less than one week old. Updating of the virus definition files will be performed without plugging directly into the internal Harvard network.
  2. Run a full virus scan of all hard drives.
  3. Run a current spyware detection utility.
  4. Update Microsoft security patches by connecting to Microsoft’s SUS server. Updating of the Microsoft security patches will be performed without plugging directly into the internal Harvard network.

Back to top

Support Services Workstation/Laptop Policy

  1. Laptop Owner Do’s & Don’ts
    2.
    Do: Be certain that PGP full disk encryption is installed on your laptop.
    a. If not installed, call the Helpdesk at 617/495-8411 to request installation.
    Do:  
     
     
     
    		 Be certain that virus definitions are up-to-date.
    a. If you aren’t certain if your virus definitions are up-to-date, follow these instructions.
    • Click on Start > Programs > Symantec Client Security > Symantec AntiVirus.
    • Symantec AntiVirus window will open up. Make sure that your Virus Definitions are less than one week old. If not, click on the LiveUpdate button.
    Do:  
     
     
     
     
     
     
    		 Be certain that Windows patches are up-to-date.
    a. If you aren’t certain if patches are up-to-date, follow these instructions;
    • Open Internet Explorer
    • On your Menu Bar, Choose Tools > Windows Updates
    • Internet Explorer will open a browser window called Microsoft Update.
    • Under the Options Pane – Choose “Review Your Update History”
    • Note the date of your last update. Your updates should be no older than one month. If the last update is more than one month old, call the Helpdesk at 617-495-8411.
    Do: Be certain that laptop is completely powered down when traveling.

  2. Don't: Leave laptop unattended in a car.
    Don't: Check laptop as baggage when traveling.
    Don't: Leave laptop unattended. Always carry the laptop with you, or secure it in a safe, locked location.
    Don't: Allow non-Harvard people, including family members, to use your laptop.
  3. Stolen/Lost Laptop Policy

    1. Laptop Owner needs to report incident to:

      1. Laptop owner’s manager.

      2. The Helpdesk (617-495-8411) and declare that a Harvard owned device has been misplaced, lost or stolen. A brief description of how the device has been lost or stolen should also be explained so that security remediation procedures can be initiated. Helpdesk/Operations will collect all user data from the workstation/laptop owner.
        1. Network Username
        2. Email address
        3. VPN accounts
        4. Any other account information (Advance, Avantis/Progress, etc).
        5. Any special applications loaded to the device. (PGP, Sygate)
        6. What personal or private data may have been on the machine such as HR personnel data, performance evaluations or HUIDs.

      3. If theft occurred on campus, notify Harvard University Police:
        1. Phone: 617-495-1212 or 617-495-1215

      4. If theft occurred off campus, file a police report in the city where the theft occurred.
        1. Note: You’ll need a copy of the police report in order for an insurance claim to be filed for the loss of the laptop.

      5. Notify Harvard University’s Office of General Counsel by calling 617-495-1280 if your lost or stolen laptop contains high-risk data (see 5.c. below).
        1. If your lost or stolen laptop was powered down and was PGP encrypted, there should be no risk of data loss.
        2. If your lost or stolen laptop was PGP encrypted, but was not powered down, then there is a high risk of data loss.
        3. High-risk data is first name or first initial and last name of staff, students or faculty in combination with any of the following: social security number, driver’s license number, state issued identification card number, or financial account or credit or debit card number.

      6. Report loss to Harvard University’s Insurance Department (617-496-8830). Be certain to include police report with claim.

    2. Helpdesk/Tier 2 needs to report incident:

      1. Helpdesk/Operations will open an Urgent ticket with all pertinent information, which will be escalated to Tier 2 for account management procedure (see item #8 below). In addition, the Helpdesk supervisor/manager will be informed as well as the Director of Support Services, so that they can conduct an internal review.

      2. Tier 2 will evaluate what data could be vulnerable and will disable any and all accounts that the user may have accessed from that workstation or laptop. For example:
        1. NOC will disable VPN account (if applicable).
        2. SOC/NOC will monitor for any abnormal behavior that may appear on servers / databases to which laptop owner had access.

      3. The user will be contacted with what steps were taken and what the new account information will be.

      4. The Director of Support Services (617-495-9963) will be notified with final resolution.

Back to top


University Security Mandates

Back to top
  Printer friendly page Contact Us | Privacy Policy | © 2009 Harvard UIS  
Supported by WDS
Home Log In For UIS Staff About UIS