From ITS Wiki - Information Technology Services - University of Rhode Island

Contents 1 Types of Policies 1.1 Authentication 1.2 Policy Key 1.3 Antivirus 1.3.1 Installed 1.3.2 Running 1.3.3 Updated 1.4 ePO (NA Install Check) 1.5 OS Patches Policy 1.6 Block Access 1.7 NAT 2 Definitions 2.1 Quarantine/Block 2.2 Warning 3 Standard Requirements 3.1 Authentication 3.2 Policy Key 3.3 Antivirus installed policy 3.4 Antivirus running policy 3.5 OS Patch Policy 3.6 Nat Policy 4 Other OS Requirements 4.1 Linux, Windows 98 and Me, Apple Mobile 4.1.1 Authentication 4.2 Game Consoles

Types of Policies

The following are the the various types of policy that can be enforced by URI's Safe Connect Network Access Control system:

Authentication

Users must authenticate using their eCampus username and mail.uri.edu passwords, or by using a guest account.

Policy Key

Users must have the Safe Connect Client installed and running. The client software must be able to communicate with URI's Safe Connect Enforcer. This policy only applies to Windows and Macintosh devices.

Antivirus

Note: Antivirus policies only apply to windows Machines.

Installed

At least one Safe Connect/Supported AV Supported Antivirus Solution must be installed.

Running

At least one installed Antivirus solution must be running.

Updated

At least one installed Antivirus solution must definitions updated within the last two week.s

Note: The antivirus solution can be different for each of the installed/running/updated requirements. For example, if a user has McAfee and Norton installed, only has McAfee running, and only have updated definitions for Norton, all three policies will pass.

ePO (NA Install Check)

Client must have the latest version of McAfee Electronic Policy Orchestrator.

OS Patches Policy

Note: The OS Patch policy only applies to windows machines.

The machine must have windows update settings compliant with the minimum security requirements. In most cases, this policy requires that windows be set to download and install updates automatically.

Block Access

It is not possible to pass the block access policy. Penalty for failure is quarantine.

NAT

There must not be a third-party NAT device (such as a home router) between Safe Connect and the computer.

Definitions

Quarantine/Block

Safe Connect uses the words "quarantined" or "blocked" when a machine's internet access has been restricted. While a machine is quarantined, it will only be able to access resources within URI (Webmail and www.uri.edu, for example); resources not hosted by URI (Google, Yahoo, CNN, ...) cannot be accessed while quarantined.

Warning

When a computer is not in compliance with Safe Connect policies, Safe Connect issues a warning. The warning comes in the form of a web page with information about the problem and how it can be fixed. Safe Connect issues a warning every time a machine is quarantined, but does not quarantine every time it issues a warning.

Standard Requirements

Standard requirements apply only to the following operating systems:

• Windows 2000
• Windows Server 2003
• Windows XP
• Windows Vista
• Windows 7
• Mac OS X, >10.3

Authentication

• Requirement: Users must successfully authenticate once.
• Fail: Machine is quarantined until Authentication passes.
• Pass: Safe Connect evaluates compliance with the remaining policies.

Policy Key

• Fail: Machine is quarantined until the policy passes.
• Pass: Policy evaluation continues.

Antivirus installed policy

• Note: Applies only to windows machines.
• Pass: Safe Connect checks for compliance with the AV running policy.
• Fail: Four warnings will be issued six hours apart. Six hours after the 4th warning, the machine will be quarantined until the policy passes.

Antivirus running policy

• Note: Applies only to windows machines.
• Pass: Safe Connect checks for compliance with the AV definitions policy.
• Fail: Five warnings will be issued one hour apart. One hour after the fifth warning, the machine will be quarantined until the policy passes.

OS Patch Policy

• Note: Applies only to windows machines.

The requirements and enforcement for this policy differ based on where a machine is located. Computer labs and computers located in Fogarty Hall, or other areas with specialized policy may have requirements different than those listed here. These users should contact their local IT people or the Office of Information Security for further information.

• Requirement: Patches must be set to download and install automatically.
• Pass: Policy evaluation continues with NAT Policy.
• Fail: Two warnings will be issued one day apart. One day after the second warning, the machine will be quarantined until the policy passes.

Nat Policy

• Note: This policy is only enforced on the student side currently.
• Pass: Internet Access granted.
• Fail: Machine is quarantined until the NAT device is removed.

Other OS Requirements

These requirements apply to machines whose operating systems are not covered by the Standard Requirements.

Linux, Windows 98 and Me, Apple Mobile

Authentication

Users must authenticate each time the device is connected to the network. Failure to authenticate will result in an immediate quarantine.

Game Consoles

There are currently no policies applied to game consoles. Game consoles will be blocked when they first connect to the network. After generating outbound HTTP traffic, they will be unblocked.