The Ohio State University requires all devices connecting to university network resources to be compliant with the Minimum Computer Security Standard (MCSS) document, which can be found at:

http://buckeyesecure.osu.edu/Policy/MCSS

The MCSS consists of four components:

1. The device must be guarded by an up-to-date and active firewall set to protect it from unauthorized network traffic.

2. Current operating system and application software with current security patches must be installed.

3. The device must be protected against malicious or undesired software such as viruses, spyware, or adware.

4. Access to the device must require appropriate authentication controls such as account identifiers and robust passwords.

There are other important aspects of the MCSS policy, so it is important to read.  These notes can be used with Windows to become MCSS complaint, provided that:

·         All the commands execute correctly on any specific installation of Windows.

·         All of the steps in this document are followed exactly.

Any deviations from these steps or changes with respect to the software installed needs to be discussed with CSE staff members before a device can be certified as MCSS compliant.  Any attempts to circumvent MCSS compliance will result in disconnection from the CSE network until the device in question can be brought back into compliance.

These instructions show screenshots from a Windows XP Professional client.  Depending on the version of Windows, the steps may be very similar (as in Windows 2000) to much different (as in Vista).  Most machines in the research environment are Windows XP Professional or 2000, and these instructions should be applicable.  Windows Vista users can contact CSE staff if they need help following the same steps.  The concepts are similar in all Windows based operating systems that can join a domain.

These instructions will not work for systems that are behind a NAT gateway.  If you are not directly connected to the CSE research network (if your machine IP address does not start with 164.107), then contact CSE computing staff so that we are aware of the situation and can help you become compliant.

Initial Setup

The first step is getting the Windows system up-to-date with current Windows patches.  Click Start --> All Programs --> Windows Update to run Windows updates.  Install any pending Windows updates before proceeding.

The second step is to join the Windows machine to the RESEARCH domain.  If you are currently joined to a domain or running a Windows server that is acting as a domain controller, contact CSE staff about getting your server MCSS compliant.  These instructions are for client Windows based systems.  It is possible to determine if a Windows system is part of a domain by following the first step in joining the RESEARCH domain described below.

To join the machine to the RESEARCH domain, navigate through Start --> Control Panel, double click the System icon, and click on the Computer Name tab as shown below:

This window should show the machine as being a member of a workgroup (probably not “TEST” as shown above), but not a member of a domain.  If the “Workgroup:” line is missing on the Computer Name tab and is replaced with a “Domain:” line instead, the machine is already joined to a domain and should not be joined to the RESEARCH domain.  If the machine is not in a domain currently, click the “Change…” button to join the machine to the RESEARCH domain.  In the resulting Computer Name Changes window, click the “Domain:” radio button and enter “research.cse.ohio-state.edu” in the corresponding text field as shown below:

Note that the “Computer name:” value should be the hostname assigned to the Windows system in the CSE DNS space.  It is possible to determine the proper hostname for the system by doing the following ipconfig and nslookup commands:

Z:\>ipconfig

 

Windows IP Configuration

 

 

Ethernet adapter Local Area Connection:

 

   Connection-specific DNS Suffix  . : cse.ohio-state.edu

   IPv4 Address. . . . . . . . . . . : 164.107.120.111

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 164.107.120.1

 

Z:\>nslookup 164.107.120.111

Server:  cs2.cse.ohio-state.edu

Address:  164.107.112.76:53

 

Name:    pc-dl887r.cse.ohio-state.edu

Address:  164.107.120.111

Here I’ve determined that the CSE IP address of this machine is 164.107.120.111 (all CSE addresses use 164.107.<octet>.<octet> as the IP address).  The nslookup on that address gives the real CSE DNS hostname of pc-dl887r (minus the cse.ohio-state.edu domain part, use the short hostname without the cse.ohio-state.edu domain instead of the fully qualified hostname that includes the cse.ohio-state.edu domain).  If your IP address does not start with 164.107, you are probably behind a NAT device.  Cancel out of this procedure and contact CSE computing staff if the system is behind a NAT device.  It is possible to have multiple network interfaces.  As long as one is connected to the CSE research network, this procedure should work.  Click the “OK” button on the Computer Name Changes window to complete the process.  An authentication dialog box will appear.  Use the username “research\join” and the password “joinresearch” as shown below to complete joining the RESEARCH domain:

This step will require rebooting the Windows machine to complete.  Click the “OK” button on the final dialog box and the “OK” button on the Computer Name Changes window to complete this step:

At this point, the Windows machine should reboot.  Be sure to reboot before proceeding.

Due to the Group Policy settings in the RESEARCH domain, the system will prompt for a password on the next login.  If you were using an account with no password, simply make sure the username you were using is in the login box after pressing Control-Alt-Delete to login (this is the default behavior).  Once logged in, press Control-Alt-Delete again and click the “Change Password…” button.  Leave the “Old Password:” text field empty and enter a new password in the “New Password:” and “Confirm New Password:” text fields.  The password must meet RESEARCH domain Group Policy robustness settings to be accepted.  Once an appropriate password is entered, click the “OK” button.  When finished, click the “Cancel” button to exit the Control-Alt-Delete options window.  This step is required.  All normal user accounts must have a password that meets these requirements.  See the Authentication Controls section for more details.

Firewall

The firewall settings are enforced using Group Policy as part of being on the RESEARCH domain.  There are some default settings and the firewall will be enabled at all times.  It is possible to add any necessary exceptions in addition to the default policy exceptions already in place through Group Policy.

Current OS/Software

Windows update settings are enforced using Group Policy as part of being on the RESEARCH domain.  The settings point the system to the CSE Windows Server Update Services (WSUS) setup.  Updates can come from the CSE WSUS server or Microsoft’s update service as well, but by default the systems will point to the CSE WSUS server for automatic notification.  For desktop systems that are continually connected to the CSE network, a policy similar to the current CSE instructional desktops will be employed.  There will be a period of time where update notification will give users the opportunity to install approved updates, but every week at 5:00am Friday morning, the system will automatically install any pending updates that have not been installed yet and reboot the system if required.  Research laptops will be configured to only prompt for update installation at this time.

Anti-Malware

This step will install two anti-malware products: McAfree and Sunbelt CounterSpy.  McAfee is provided for free by OSU.  Sunbelt CounterSpy is an additional anti-malware product we’ve licensed to aid in detecting malware.  Despite the name, it is not a “spy” program to track what users do, but rather a product that aids in countering malware that does that sort of thing to users.  It is advisable to uninstall any current anti-malware products before proceeding, however it should be possible to have multiple anti-malware solutions in place in most instances.  It is highly recommended that any existing products be uninstalled however.  If this cannot be done or is not desirable for some reason, contact CSE computing staff to discuss the issue in order to ensure the device is MCSS complaint.  If McAfee is already installed, the procedure should ask for it to be uninstalled first unless it is already the current version.  In any case, it is probably best to just uninstall whatever is there first to avoid any potential issues.

Once the current anti-malware software has been uninstalled if necessary, open an explorer window by clicking on Start --> My Computer entering “\\rsdc1.research.cse.ohio-state.edu\software” in the “Address” text field at the top as shown below:

An authentication dialog box will appear.  Enter the username “research\join” and the password “joinresearch” to gain access to the share.  Once the share opens in the explorer window, double click on the MCSS.bat file shown below:

A security warning dialog box may appear as shown below:

Click the “Run” button to proceed.  This may happen more than once when the software is installed.  In every case, click the “Run” button to proceed.  The MCSS.bat batch script will open a new command window and echo output while it installs McAfree and CounterSpy as shown below:

This command window can take some time to complete.  Do not close this command window.  Let it close itself, even if it takes a while to run.  Once it closes, the anti-malware products should be installed.  If there are any warnings or error messages, contact CSE computing staff for assistance.  Reboot the system after the command window exits to ensure the anti-malware software restarts properly.

Authentication Controls

Proper authentication controls settings are enforced using Group Policy as part of being on the RESEARCH domain.  These should be fine by default, but do not do any of the following:

·         Create an account with no password.

o   All normal user accounts must have a robust password.

·         Create an account with a weak password.

o   Group Policy enforces password robustness.

·         Configure the system to automatically login any account.

o   Group Policy does not allow automatic logins.

The user accounts on the system will still be local accounts, just as they were originally.  Joining the RESEARCH domain is not really about account management.  It concerns making sure the proper Group Policy exists for the machine in order to ensure MCSS compliance.  Once joined to the RESEARCH domain, logging into the system should work exactly as it did before being on the domain, except that passwords will be required if they were not used before.  Most systems I’ve seen are already using passwords.  This works even if the system cannot contact the RESEARCH domain controller.  A RESEARCH domain account that has administrative access on the local machine does exist that CSE staff can use to gain administrative access on any Windows system on the RESEARCH domain.  This is required for any MCSS compliance auditing CSE staff will have to do periodically.  We won’t use this to access systems in other ways or generally administer research Windows desktops in ways not related to MCSS compliance settings.

MCSS Compliance Certification

Once all of the steps in this document have been followed, contact the CSE computing staff by sending a help request to help@cse.ohio-state.edu indicating that you need to have your Windows system certified for MCSS compliance.  Someone will come to your machine and verify everything is working and certify the system as MCSS compliant.