All UC Berkeley IT Resources and all devices connected to the UC Berkeley network or cloud services must comply with the Minimum Security Standard for Networked Devices (MSSND). The recommendations below are provided as optional guidance to assist with achieving the Passphrase Requirements.
Only network services, ports, and protocols necessary for the intended purpose or operation of a device may be running. All others must be disabled or removed.
Only network proxy or gateway services, including TOR, whose configuration and use have been approved by the Unit Head and CISO are allowed on the UC Berkeley network.
Network services are applications on your device that listen for and respond to network traffic. Examples include:
- Web servers, file share servers, proxy servers, and FTP servers
- Remote access services such as Remote Desktop Protocol (RDP), VNC, and SSH
Open network services provide additional attack surface for hackers to exploit. Many security breaches are the result of attackers taking advantage of security vulnerabilities in network services such as:
- Flaws in the network service and supporting application libraries (e.g. client-server or peer-to-peer software components)
- Flaws in the protocol(s) that the network service utilizes
- Insecure configurations such as default accounts, improper access controls/permissions, lack of strong encryption in-transit, etc.
These flaws can lead to the device being compromised or to Denial of Service (DoS) attacks rendering the device and/or services unavailable.
Therefore, network services unnecessary for the intended purpose or operation of that device should be removed or disabled to reduce the overall risk.
When is a service necessary?
- There is a clear University business or educational need for the network service
- The service is generally appropriate given your role at the University
- The service does not allow guest or anonymous access to your computer or files
Services must also NOT:
- Introduce a security risk
- Interfere with other University resources or the campus network
- Create an excessive burden on campus infrastructure or resources
Harden Operating Systems
Use a well-known security benchmark such as the CIS (Center for Internet Security) benchmarks to secure your device’s configuration. Each benchmark will have specific information about which network services can and should be disabled by default:
CIS security benchmarks are available to all UC Berkeley campus users:
Microsoft Windows - Security Baselines:
Beware of User-Installed Software
Some applications install gratuitous network services that are either not required or are configured to provide network access when only local access is required. When installing a new application, perform a review after the installation to ensure unnecessary network services were not enabled.
Reduce Attack Surface
Just because a service is deemed necessary for University business or educational purposes doesn’t mean that it needs to be accessible to the world!
- Use host-based firewall rules to limit access to services, so that only authorized hosts/networks can connect to those services.
- If a network service must be broadly available from the Internet, first consider using the Remote Access VPN as a solution before enabling Internet access to a service:
- Configure your host-based firewall to default deny connections to the network service from the Internet.
- Configure your host-based firewall to permit connections to the network service from the Remote Access VPN address ranges.
- Then use the Remote Access VPN to connect to the campus network and access your network service.
- Contact your IT support for assistance.