Approx. 2,500 new / 7,500 returning computers connect to
PennNet at start of the academic year.Many machines not patched, or have become infected.Probablybetween 1000 and 2000 mobile laptops move between PennNet and other
network providers (e.g. home ISPs, other employers' networks, etc.).
Adequately securing transient machine is manually-intensive,
requiring IT staff time to check patch level, passwords, A/V signatures, etc..In many cases, e.g. public wireless
locations, simply not possible to ensure that machines are properly secured.
Ensuring that machines get rebuilt following infection,
particularly student machines, is difficult.We currently have no way to enforce our requirement that infected machines
be rebuilt, and a widespread worm could lead to long waits to rebuild infected
■Integratevulnerability scanning with wired and
wireless login processes.Place
infected or vulnerable machines in a "quarantine" VLAN that only allows
them connectivity to patch management services.
■Test Windows XP SP 2"secure network
connect” feature: blocks all connections until critical patches are applied.
If successful, provide broad education and expanded out of box
defaults to ensure that Windows XP Service Pack 2 machinesare configured to use a
Expand out-of-box program to include most year-round computer purchases.
■Require in Computer Security
Policy that operating system firewalls be enabled,and that "secure
network connect" features be enabled, where present.
■Modify Disconnect policy to
authorize Information Security to require rebuilds before reconnection to
PennNet when machines are compromised at most privileged level.