8.2.2.2 Remote Access Standard

Summary

The purpose of this standard is to define the usage and restrictions for remote access, support, maintenance, and administration mechanisms.

Body

Purpose

Remote access to the University of Oklahoma (OU) network is essential to maintain productivity and support University missions.  Remote access provides a way for university users and support staff to share screens, access Information Technology (IT) services from home, and vice versa.  Remote access is defined as access to “non-public” University Information and IT services from outside of the University’s hard wired and/or wireless networks.  Remote access tools can save significant time and money by eliminating travel and enabling collaboration, they also provide a back door into the University’s network that can be used for theft of, unauthorized access to, or destruction of assets.

The purpose of this standard is to define the minimum security configurations for remote access, support, maintenance, and administration mechanisms.

Supporting Policy

Remote Access Policy

Standard

Remote Access Security Configuration

OU Virtual Private Network (OU VPN)

The Office of Information Technology Security Operations team must:

  1. Implement user authentication using SAML 2.0 authentication with multi-factor authentication enabled.
  2. Encrypt VPN traffic in accordance with the Encryption Standard.
  3. Terminate remote sessions after sixty (60) minutes of inactivity.
  4. Configure remote access firewalls in accordance with the Firewall Management Standard.
  5. Configure VPN to collect and retain logs in accordance with the System Logging Policy.
  6. Send firewall logs to the OU IT central repository for monitoring and analysis. 

OU Virtual Desktop (OU VDI)

The Office of Information Technology Operations team must:

  1. Implement user authentication using SAML 2.0 authentication with multi-factor authentication enabled.
  2. Encrypt VDI traffic in accordance with the Encryption Standard.
  3. Terminate remote sessions after sixty (60) minutes of inactivity.
  4. Configure VDI to collect and retain logs in accordance with the System Logging Policy.
  5. Send VDI logs to the OU IT central repository for monitoring and analysis. 
  6. Maintain, update, and redeploy a virtual machine gold image that complies with the End User Device Security Policy every 365 days.
 
Secure Shell (SSH)

SSH server asset owners must:

  1. Enable SSH 2.0 and disable older protocols.
  2. Configure encryption in accordance with the Encryption Standard.
  3. Disable password authentication for all users, except device administrators.
  4. Use strong passphrases that align with the IT Password Policy when generating SSH key pairs.
  5. Limit root login either by not allowing it (PermitRootLogin no) or by only allowing it with key negotiation.
  6. Limit access to authorized users only.
  7. Terminate sessions after eight (8) hours of inactivity.
  8. Regularly monitor SSH software packages for updates and releases, and ensure updates are installed within thirty (30) days of release, when made available by the vendor.  SSH software packages are subject to OU IT vulnerability scans.
  9. Uninstall legacy SSH software packages as new packages are released and installed.
  10. Install the OU malicious software protection client on any machine which has SSH access available.
  11. Assume responsibility for reading logs, identifying unexpected logins or abnormal behavior and alerting OU IT Security.
  12. SSH Agent Forwarding shall only be used with trusted university-owned machines that are assigned to an individual and not shared among multiple individuals.
  13. Appliances and network devices using SSH for administrative functions, should be configured with appropriate security as described above, where available.
  14. Always keep the private key stored somewhere secure.  Staff, faculty, students, contractors, vendors, or agents wishing to implement a SSH server should implement the following encryption key management
Remote Desktop (RDP)

Asset Administrators providing remote access via RDP must implement the following additional security:

  1. Only allow connections from trusted IP ranges by limiting TCP port 3389 to only OU networks and require users to connect to an OU VPN before using RDP. 
  2. RDP clients must be monitored for updates and releases and updated within thirty (30) days of release, when made available by the vendor.  
  3. Regularly review RDP system logs in accordance with the System Logging Policy.
  4. Configure RDP to terminate sessions after sixty (60) minutes of inactivity.

References

  1. National Institute of Standards and Technology Cybersecurity Framework (CSF), PR.AC-3
  2. National Institute of Standards and Technology Special Publication 800-171, Protecting Controlled Unclassified Information: 3.1.1, 3.1.2, 3.1.15, 3.1.14, 3.1.18, 3.1.20, 3.13.9, 3.13.12
  3. Health Insurance Portability and Accountability Act of 1996 (HIPAA), Security Rule §164.308(a)(4), 164.308(b)(1), 164.312(a)(2), 164.310(b), 164.310(c)
  4. National Institute of Standards and Technology Special Publication 800-53 Revision 5, Security and Privacy Controls for Federal Information Systems, AC-17, AC-19, AC-20
  5. Payment Card Industry (PCI) Data Security Standards 2.3, 8.1.5, 8.3, 8.5.1, 12.3.8, 12.3.9, 12.3.10
  6. Gramm-Leach-Bliley Act (GLBA)
  7. Remote Access Policy
  8. Encryption Standard
  9. Firewall Management Standard
  10. System Logging Policy
  11. End User Device Security Policy

Revision, Review, and Approval History

  • September 2023: OU IT Governance, Risk, and Compliance revised policy.  Opened for comments
  • November 2023: Comment period closed.
  • January 2024: Faculty and Staff Research Advisory Committee review.  Comments submitted.
  • April 2024: OU IT Governance, Risk, and Compliance revised policy.

Details

Details

Article ID: 3050
Created
Tue 8/29/23 10:02 AM
Modified
Tue 4/30/24 8:54 AM