Baseline Security

Background / Overview

The University of Nebraska is committed to protecting the privacy of its students, alumni, faculty and staff, as well as protecting the confidentiality, integrity and availability of information important to the University's mission. Baseline security defends against cyber attacks, unauthorized actions, and data loss through resilient technical configurations that provide appropriate risk-based protection without significantly impacting daily business operations.

Three security configurations support the NU IT Risk Classifications of Low, Medium, and High. These configurations align with National Institute of Standards and Technology (NIST) frameworks (800-53, 800-171), and Center for Internet Security (CIS) Levels 1 & 2. For more information, review IT Risk Classification.

  • Compliance configurations as required by agreement or regulation are also available to meet CMMC, DFARS, FedRAMP, ITAR, PCI, HIPAA, etc. All applicable technology configurations identified in a System Security Plan (SSP), Technology Control Plan (TCP), or Data Use Agreement (DUA) will be implemented to meet compliance as required.​ For additional information, please complete an Endpoint Security Request.

The following is a summary of observable changes to operating systems that users can expect with the implementation of Baseline Security on a university-owned endpoint. IT Professionals can access the full list of configurations in the IT Knowledge Base.

macOS Baseline Security Summary

macOS Low Risk Configuration

  • Use of University-managed Identities for Login
  • Supported Version of macOS
  • Managed Firewall
  • Patch & Vulnerability Management
  • Extended Detection and Response (XDR) (UNK, UNL, UNO)
  • Standardized System, Application, and Security Logging
  • Server functions on endpoints are disabled: http, nfs, tftp, uucp, smb, ssh, etc.
  • The macOS Login process displays a University Privacy and Security Notice and custom support message at the login window. Additionally, both username and password fields will be displayed at the login window requiring users to enter their account username. Examples are pictured below.
     

macOS login window policy banner

macOS 12 login window with username and password fields. At the bottom, the message "This device is owned and managed by the University of Nebraska. For assistance please contact the IT Help Center at (402) 472-3970 or support@nebraska.edu"
 
  • The screensaver will display after 15 minutes of inactivity and a re-authentication will be required after the screensaver is displayed for 5 seconds.
  • Printer Sharing, Bluetooth File Sharing are disabled.
  • Sudo timeout for administrative users is set to 0 seconds. Each sudo command will now require authentication.

 

macOS Medium Risk Configuration (Includes Low)

  • FileVault Encryption Required

 

macOS High Risk Configuration (Includes Low and Medium)

  • Remote access to a Mac through screen sharing and Apple Remote Desktop are disabled. Initiating a remote session to another system is supported.
  • Use of Siri is disabled.
  • Use of Airdrop and Airplay Receiver is disabled.
  • System, Application, and Security log forwarding to ITS Security Information and Event Management (SIEM).

 

Windows Baseline Security Summary

Windows Low Risk Configuration

  • Use of University-managed Identities for Login
  • Supported Version of Windows
  • Managed Firewall
  • Patch & Vulnerability Management
  • Extended Detection and Response (XDR) (UNK, UNL, UNO)
  • Standardized System, Application, and Security Logging
  • Some built-in server functions or services on endpoints are disabled such as: IIS Admin Service, Microsoft FTP Service, OpenSSH SSH Server, and the World Wide Web Publishing Service.
  • The Windows Sign-in Experience requires Ctrl+Alt+Delete to unlock a computer. Once a computer is unlocked at computer startup, a Logon Banner will be displayed containing a University Privacy and Security Notice. Additionally, both username and password fields will be displayed at the login window requiring users to enter their account username. Examples are pictured below.
Press Ctrl+Alt+Delete to unlock
 
Windows Privacy and Security Notice
 
Windows login window with Username and Password fields
 
  • Remote Desktop Users must use Active Directory accounts - local accounts are not supported.
  • The computer will lock after 15 minutes of inactivity and a re-authentication will be required. The currently signed in user will have their user account displayed with a prompt for their password. An option to switch users is available.
  • User Account Control will prompt for elevation more frequently upon opening certain applications. Examples include: Microsoft Management Console-based applications and Task Manager.

 

Windows Medium Risk Configuration (Includes Low)

  • Bitlocker Encryption

 

Windows High Risk Configuration (Includes Low and Medium)

  • Print Driver installation will require administrative rights.
  • Use of Cortana is disabled.
  • Inbound Remote Desktop / RDP access is disabled. Initiating an RDP session to another system is supported.
  • System, Application, and Security log forwarding to ITS Security Information and Event Management (SIEM).
Print Article

Details

Article ID: 192
Created
Tue 3/26/24 4:17 PM
Modified
Fri 8/2/24 3:26 PM

Related Articles (5)

This guide provides instructions for installing Cortex XDR antivirus on Windows, macOS, and Linux operating systems.
This article discusses default security controls on University-managed macOS devices, focusing on screen lock settings. Users may notice their devices locking after around 2 minutes of inactivity, but they can adjust settings to extend this time. By following provided steps in System Preferences, users can increase the inactivity timeout beyond 15 minutes, ensuring the screen locks only after 15 minutes of idle time.
Operating system patch and security updates are software releases issued by OS developers to fix vulnerabilities, enhance performance, and add features. Operating System patches are frequently released to ensure systems remain resilient and protected against evolving cyber threats
Third-party application updates involve software patches or upgrades released by developers outside of the original platform provider. These updates enhance functionality, fix bugs, and address security vulnerabilities in applications. This article details the processes for running third-party application updates on Windows and macOS.
This article details all of the Operating Systems and their respective versions that are supported by the university.

Related Services / Offerings (2)

OnGuard is a software agent that performs posture assessments while BYOD is connected to eduroam or the wired network on campus.
Network authentication is the process of verifying the identity of a user or device attempting to access a network. Requests can be submitted to allow compliant devices to authenticate at specific network levels, based on use-case.