Research computing standard desktop requirements

Research computingResearch computing

  1. Computers are standard hardware purchased through the TSC.
  2. Computers use the standard UVic operating system images available through the TSC.
  3. Computers involving sensitive research information must be using Windows 10.
  4. Computers (Windows and Mac) are bound to the UVIC Active Directory domain and in the departmental AD Organizational Unit (e.g. UVIC\<DepartmentCode>)
  5. Standard UVic workstation AD Group Policies (GPOs) are applied.
    • [DEPT] Specific Settings (assign local admins, map drives, add printers, etc).
    • ACSV AppLocker Protection (latest)
    • ACSV Map Personal Home File Storage H:\ (latest)
    • ACSV Windows 10 General Use (latest) – all computers
    • ACSV Windows 10 General Use –Workstations (latest) – as applicable
    • ACSV Windows 10 General Use – Mobile (latest) – as applicable
  6. Operating system updates are automatically applied in a timely fashion as they become available.
  7. Security-related software updates are applied in a timely fashion as they become available. Such software may include but is not limited to Adobe Flash, Adobe Reader, Java, web browsers (Firefox, Chrome), Microsoft Office.
  8. All computers have centrally managed Symantec Endpoint Protection (SEP) installed.
  9. All computers have Bitlocker or Filevault full disk encryption enabled. Bitlocker keys are stored/escrowed centrally in UVic Active Directory. (Note: this is achieved using standard GPOs listed above.)
  10. Logins to the computers are restricted to only authorized users (e.g just the users in the department, or just the particular research group).
  11. Folder Redirection (Windows) is configured to ensure users’ Documents, Desktop, and IE folders are redirected to personal home folders rather than being stored on the local desktop.
  12. All Departmental data and research data is stored on Enterprise File Services and not stored locally on workstations or external hard drives.
  13. Computers use centrally-supported AppLocker policies to prevent the execution of unauthorized/malicious software.
  14. Users log into desktops using standard, non-privileged accounts. Users do not have accounts with administrative or super user access on local desktops, laptops, and workstations.
  15. All local administrator accounts are disabled.
  16. Users logon to departmental computers using their NetlinkID and password.
  17. Users are restricted from installing their own software.
  18. UEFI secure boot is enabled.
  19. All VLANs have ACLs using standard NETS ACL includes, with a default-deny policy.
  20. Permissions for files/folders/shares containing departmental and research data are managed in accordance with least-privilege and need-to-know principles, and permissions are audited regularly.
  21. Remote access to departmental and research data and computers is permitted through UVic VPN only, occurs only from supported workstations, and is restricted to legitimate business need.