Linux Workstations on Campus Networks

Summary

This article describes the OTS standard on Linux workstations on the campus network:

  • OTS does not permit Linux on workstations (desktops or laptops) in the "faculty/staff" portion of the wired campus network. 
  • OTS discourages the use of Linux workstations by faculty/staff on the rest of the campus wired or wireless network (such as in labs or classrooms), except in specific cases.  
  • Where Linux is used, OTS cannot offer support and OTS cannot guarantee the availability of computing services.
  • Where Linux is used and connected to TU’s network, the systems are required to adhere to standard security configuration requirements.  
  • This excludes Linux servers hosted in OTS datacenters.

 

Linux Workstations on Campus Network

OTS does not permit Linux workstations (desktops or laptops) to reside on the "faculty/staff" portion of the wired campus network. 

This is a protected portion of the network reserved for OTS-managed workstations primarily used by faculty/staff to conduct business.  This portion of the network is meant to better protect faculty/staff workstations which may allow greater access to confidential data and protected systems in OTS datacenters. 

Workstations on this faculty/staff network must run a version of Windows or Mac OS managed by OTS, and have a variety of security controls and policies in place (e.g., Windows Firewall) to protect these workstations.   TU-owned workstations for faculty/staff will not have their operating system replaced with Linux.

Any non-compliant Linux workstations on the faculty/staff network will be moved to the "untrusted" network.  The "untrusted" network has some limitations in its access to services hosted in the OTS datacenters.

OTS also discourages the use of Linux workstations on the rest of the wired or wireless network ("untrusted" network), except in specific cases.  When Linux needs to be used, there is an exception process described below.

 

Exceptions for Linux Workstations

In limited cases, there may be valid use-cases for Linux workstations on the "untrusted" campus network.  These requests must be supported by the department and approved by OTS. 

To request an exception:

  1. Create a support request in TechHelp describing your use-case, by choosing the Setup & Configuration option under the Office Computer service:  https://techhelp.towson.edu/TDClient/1879/Portal/Requests/ServiceDet?ID=52696.  
    • Describe the use-case (e.g., actively teaching using Linux (e.g., CIS) or IoT (Internet of Things) devices).
    • Confirm that the department supports the use-case. 
    • You may reference this knowledge base article to confirm that you're aware of the approval process.
  2. Once approved, the requester will receive guidelines (in the section below on this article) on how to configure basic security settings on the Linux workstation to offer a baseline level of security that meets University System of Maryland IT security guidelines and Maryland State IT policy.
  3. The Linux workstation(s) should be configured with that security within one week of the exception being approved, and the configuration reviewed at least annually to ensure the security settings are still in place.

Please note that:

  • OTS will not offer assistance in configuring or troubleshooting the Linux workstations.
  • Linux workstations will not be able to "join" the TU Active Directory domain (towson.edu).
  • OTS will not guarantee that its computing services will function with the Linux workstations -- only basic assistance will be provided when troubleshooting access to resources.

 

Security Guidelines for Linux Workstations

For approved exceptions, the following are required security settings and configuration.  OTS will not offer assistance or documentation in configuring or troubleshooting Linux workstations.

Required security settings and configuration:

  • Host-based firewall (e.g., iptables) enabled to restrict all unnecessary network communications. 
  • Login access on the workstation uses a non-privileged account (i.e., not root), and any administrative activities use a privilege management model such as sudo.   
  • Operating system and application security updates must be applied within 30 days of release.  Operating systems and applications must be considered current (i.e., security updates are actively released for the product).
  • The workstation is configured to require all account passwords to be compliant with USM IT Security Standards password requirements: https://www.usmd.edu/usm/adminfinance/itcc/ITSecResource.html  
  • All default account passwords must be changed and in accordance with USM IT Security Standards password requirements: https://www.usmd.edu/usm/adminfinance/itcc/ITSecResource.html 
  • Antimalware/antivirus software is required.
  • Absolutely no confidential data should be accessed by or saved to the workstation.
  • Device configuration may be subject to audit and review by the OTS Office of Information Security and Privacy (OISP) to ensure security controls are implemented and operating effectively. 

 

Questions

Questions about this article or the policy can be directed to OTS by submitting a support request in TechHelp.  Choose the Setup & Configuration option under the Office Computer service:  https://techhelp.towson.edu/TDClient/1879/Portal/Requests/ServiceDet?ID=52696.  Reference this knowledge base article when asking your question.

 

 

Print Article