Windows Security and the Physics Network Policy statement

Policy statement, May 2004

The need to keep systems up to date with patches and anti-virus measures has become increasingly obvious. Recent experience has also shown that time is of the essence when dealing with new patches and failure to apply them leaves the whole network exposed to unacceptable risks. The question of how to ensure we address this issue in an efficient manner has been discussed at the Standing Committee for Physics Computing and the recommendations approved by the Physics Management Committee.

In developing the policy the following requirements have been taken into account.

• The need to keep the physics network a secure, safe and efficient place to work
• The effort required to maintain system software must be minimised
• Inconvenience to users must be minimised
• Flexibility to deal with systems with special requirements must be allowed
• The owner's right to have control over his/her system must be retained

The PMC therefore agreed the following policy.

1. All windows systems (NT, 2000, XP, Windows 7) connected to the physics network should become part of the physics domain unless there are good technical reasons to exclude them. Any exclusion will be by arrangement with IT staff and in some cases this may require connection of excluded systems to a separate network.
2. Owners of systems will be able to retain system administration rights on their machines, so they can continue to install software, setup printers etc.. Machines joining the domain do not have to be reinstalled or loaded with a standard 'clone' although this service is available to anyone who requests it.
3. Central IT staff will routinely audit all machines in the domain to be sure they are free from all known vulnerabilities and apply fixes as a matter of urgency when deemed necessary. All other management tasks can be left to the owner if requested.