Use of Authentication Guidelines

UC Berkeley security policy mandates that all devices connected to the UCB network comply with Minimum Security Standard for Networked Devices.  

Requirement

Network services running on campus devices must be configured to require authenticated access by means of passwords or other secure authentication mechanisms unless the explicit purpose of the service is to provide unauthenticated access (for example: public web servers) and can do so without readily allowing it to be used by attackers.

Network services which are commonly used by attackers and, therefore, must not allow unauthenticated access include: proxy services, email relays, wireless access points, remote desktop, SSH shell access, or printer administrative interfaces.

In addition, where possible and appropriate, passwords or other secure authentication mechanisms must be used for local (console) logins. Kiosks conforming to the Campus Guidelines for Kiosk Workstations are exempted from this requirement.

Background and Description of Risk

Authentication keeps unauthorized people from using your computer or device. Any computer or device on the campus network that runs unauthenticated, exploitable network services is likely to be found by attackers and compromised or abused.

Requiring authentication to log on to the physical console of your computer may also help stop people with casual access to your system from installing malware or stealing your data.

Any network service that could be used maliciously should be protected by authentication. When implementing, ensure that authentication methods comply with requirement#6, “Unencrypted Authentication.”

Full-featured operating systems like Windows, Mac OS, or Linux must be configured so that all user accounts have passphrasess, and those passphrases are required to login to the system locally or to use the system remotely (via Remote Desktop/VNC, file and print sharing, or other services).

Recommendations

Kiosks

Kiosks can be configured to protect against misuse by conforming to Campus Guidelines for Kiosk Workstations.

Email Authentication

Email (SMTP) servers that support encryption and authentication (SMTP AUTH) must require their use before accepting messages to be relayed to the world. When that is not possible, other options such as transport mode IPSec should be considered before falling back to using firewalls to allow unauthenticated access for specific device IP addresses on trusted subnets.

Proxy Servers

Proxy servers must require authentication before forwarding or relaying traffic to other hosts. When that is not possible, other options such as transport mode IPSec should be considered before falling back to using firewalls to allow unauthenticated access for specific device IP addresses on trusted subnets.