Policies and Standards

• Acceptable Use
• Network Security Scanning
• Student UserIDs
• Is downloading music safe and/or legal?
  

• Telecommunications Inside Plant (Cabling) Standards for ATES Projects

Network Security Scanning Policy

The reports of network break-ins, denial of service attacks and other security breaches are frequently in the news. As part of our stewardship of the state-wide network, ITS performs occasional security scans to identify compromised machines and machines with known vulnerabilities. This allows us to proactively address these problems rather than wait for them to be reported to us after the fact when damage has already been done.

This is not a theoretical issue, we have had quite a few machines within the university network compromised, used in denial of service attacks, as spam relays and to compromise other machines.

In a recent scan, we found 90 open mail relays within the university's network, and earlier scan had found around 200. We ask the owners to close the relays to avoid their being abused as spam relays.

We found 30 machines with back doors installed (we had found many more in the past and had gotten the owners to close them)

We found hundreds of machines with potential vulnerabilities and known vulnerabilities that could allow them to be compromised.

Often compromised machines have back doors installed that operate on specific ports or respond with known signatures. When one of these is detected or we are made aware of their existence, a scan can quickly identify other similarly compromised machines.

It is our intent to continue to do periodic unannounced scans as a matter of policy for the purpose of identifying and correcting security exposures

ITS does these scans from a machine called security-scanner.its.maine.edu or a similar name so it is clear that the scan is being done by ITS and not some attacker. We will also do scans on request and provide the results to those responsible for campus or departmental networks.

Student UserIDs

University of Maine System Information Technology Services (ITS) will provide University students with a CMS, mail or remote access account on a ITS system. This userid will remain valid for as long as the student is enrolled within the University. This privilege is subject to but not limited to the following conditions:

1. This userid is provided for academic use only. This includes actual course work and also responsible independent efforts at developing computer skills. It does not include any work done for organizations within the University such as clubs and fraternities, nor for individuals or organizations outside of the University, nor for any work that is income producing including grants or contracts.

2. A student is limited to one ITS userid regardless of the number of courses taken which use ITS facilities. Duplicates will be removed from the system. Each ITS CMS or mail userid is allocated a fixed amount of disk space. Additional space can be acquired through ITS on a pay for use basis, or through the student's department.

3. This userid is for the use of the specific student to whom it has been assigned; it may not be loaned or given to anyone else.

4. To retain this userid the student must be enrolled in at least one degree-credit course within the University of Maine System.

5. Students must conduct themselves responsibly and with discretion while using this userid. Computer system resources are scarce and expensive. Interfering with other users by sending unsolicited messages, needless consumption of system resources or other offensive behavior will result in the removal of this userid.

6. It is the responsibility of the student to maintain the security of their password. Passwords for CMS IDs must be changed on a regular basis (currently 150 days) or they will be de-activated. We strongly suggest passwords for other types of ids also be changed periodically and may enforce this at some future date.

   Failure to use the system in accordance with these conditions may lead to loss of privileges and further disciplinary action.