Summary
This article outlines the NU IT Risk Classifications of Low, Medium, and High. These configurations align with National Institute of Standards and Technology (NIST) frameworks (800-53, 800-171), and Center for Internet Security (CIS) Levels 1 & 2.
Body
Background / Overview
The University of Nebraska is committed to protecting the privacy of its students, alumni, faculty and staff, as well as protecting the confidentiality, integrity and availability of information important to the University's mission. Baseline security defends against cyber attacks, unauthorized actions, and data loss through resilient technical configurations that provide appropriate risk-based protection without significantly impacting daily business operations.
Three security configurations support the NU IT Risk Classifications of Low, Medium, and High. These configurations align with National Institute of Standards and Technology (NIST) frameworks (800-53, 800-171), and Center for Internet Security (CIS) Levels 1 & 2. For more information, review IT Risk Classification.
- Compliance configurations as required by agreement or regulation are also available to meet CMMC, DFARS, FedRAMP, ITAR, PCI, HIPAA, etc. All applicable technology configurations identified in a System Security Plan (SSP), Technology Control Plan (TCP), or Data Use Agreement (DUA) will be implemented to meet compliance as required. For additional information, please complete an Endpoint Security Request.
The following is a summary of observable changes to operating systems that users can expect with the implementation of Baseline Security on a university-owned endpoint. IT Professionals can access the full list of configurations in the IT Knowledge Base.
macOS Baseline Security Summary
macOS Low Risk Configuration
- Use of University-managed Identities for Login
- Supported Version of macOS
- Managed Firewall
- Patch & Vulnerability Management
- Extended Detection and Response (XDR) (UNK, UNL, UNO)
- Standardized System, Application, and Security Logging
- Server functions on endpoints are disabled: http, nfs, tftp, uucp, smb, ssh, etc.
- The macOS Login process displays a University Privacy and Security Notice and custom support message at the login window. Additionally, both username and password fields will be displayed at the login window requiring users to enter their account username. Examples are pictured below.
- The screensaver will display after 15 minutes of inactivity and a re-authentication will be required after the screensaver is displayed for 5 seconds.
- Printer Sharing, Bluetooth File Sharing are disabled.
- Sudo timeout for administrative users is set to 0 seconds. Each sudo command will now require authentication.
macOS Medium Risk Configuration (Includes Low)
- FileVault Encryption Required
macOS High Risk Configuration (Includes Low and Medium)
- Remote access to a Mac through screen sharing and Apple Remote Desktop are disabled. Initiating a remote session to another system is supported.
- Use of Siri is disabled.
- Use of Airdrop and Airplay Receiver is disabled.
- System, Application, and Security log forwarding to ITS Security Information and Event Management (SIEM).
Windows Baseline Security Summary
Windows Low Risk Configuration
- Use of University-managed Identities for Login
- Supported Version of Windows
- Managed Firewall
- Patch & Vulnerability Management
- Extended Detection and Response (XDR) (UNK, UNL, UNO)
- Standardized System, Application, and Security Logging
- Some built-in server functions or services on endpoints are disabled such as: IIS Admin Service, Microsoft FTP Service, OpenSSH SSH Server, and the World Wide Web Publishing Service.
- The Windows Sign-in Experience requires Ctrl+Alt+Delete to unlock a computer. Once a computer is unlocked at computer startup, a Logon Banner will be displayed containing a University Privacy and Security Notice. Additionally, both username and password fields will be displayed at the login window requiring users to enter their account username. Examples are pictured below.
- Remote Desktop Users must use Active Directory accounts - local accounts are not supported.
- The computer will lock after 15 minutes of inactivity and a re-authentication will be required. The currently signed in user will have their user account displayed with a prompt for their password. An option to switch users is available.
- User Account Control will prompt for elevation more frequently upon opening certain applications. Examples include: Microsoft Management Console-based applications and Task Manager.
Windows Medium Risk Configuration (Includes Low)
Windows High Risk Configuration (Includes Low and Medium)
- Print Driver installation will require administrative rights.
- Use of Cortana is disabled.
- Inbound Remote Desktop / RDP access is disabled. Initiating an RDP session to another system is supported.
- System, Application, and Security log forwarding to ITS Security Information and Event Management (SIEM).