Computer systems which do not meet appropriate security standards pose a high security risk and can have a wide negative impact on network availability. In order to maintain a reliable network, protect data, and provide a secure computing environment for the UNC Campus, computer systems which do not meet established security standards will be removed from the network. Campus IT Security Services will strive to allow one week for systems to be properly secured before removing them from the network, but will take immediate action to contain security threats when conditions warrant.

Procedures regarding security standards and guidelines: A list of systems subject to removal and the removal date will be maintained with a link from https://www.unc.edu/security/campus . Although ITS Security will attempt to contact system administrators, it is the responsibility of campus IT support personnel to check this list regularly to be sure systems they are responsible for are properly secured. If you are concerned about your contact information please check the following site: http://its.unc.edu/netcomm/sub-admin2.htm and contact <hostreg@unc.edu> if you need the information for your group updated.

Standards and guidelines regarding necessary security will be proposed by ITS and reviewed by the campus IT Directors before adoption. Additional proposed standards and guidelines can be found at [ https://www.unc.edu/security/campus/DRAFT-security-standards.html ] Security Standards . As new security threats emerge, notification of necessary corrective actions will be provided to campus via the CTC and Support lists.

Background: On April 13 Microsoft announced critical security patch MS04-011 and we urged campus IT support personnel to patch vulnerable systems right away. On May 1, approximately 30 unpatched Campus computer systems were compromised. Since May 1, 2004 more than 360 computer systems on campus have been compromised, with a large number of these being viruses directly related to this patch. Unpatched systems risk not only the confidentiality and security of the data on that computer, but also affect large portions of the network. During July alone we experienced two significant network problems directly related to unpatched computers on the network. In both cases base campus vlan services were brought to a crawl when as few a ten unpatched systems were infected. Currently there are over 170 unpatched systems on campus.

Network software changes scheduled for early August will help to mitigate the damage and danger of unpatched systems, but a significant risk of continued network outages will still exist. It is imperative that we address the risk before the beginning of the Fall semester.

Systems running Microsoft Windows which still lack MS04-011 will be the first systems to which this policy applies.

Jeanne Smythe

ITS Computing Policy

Jim Gogan

ITS Networking