CSE logo University of Washington Computer Science & Engineering
 PROPOSED User Run Services
  CSE Home     Computing Policies  About Us    Search    Contact Info 

User Run Services

D R A F T

Ver 1 – EL: 28-apr

Our current policy regarding user-run services is pretty simple: "If you're not using it, turn it off." But that no longer suffices, so at the 4/26/05 Lab Meeting, we addressed three issues:

  1. We decided to refine the policy.
  2. We decided that user-run services should be totally prohibited on shared machines, and certain services should be prohibited on all machines. And as always, exceptions are always considered.
  3. We need to figure out what to do about detection and enforcement.

This document is a first draft of a revised policy statement about User Run Services, to address the first two points. Comments are welcome!

We still need to address the detection/enforcement issue.

User-run services can have clear educational and research benefits, and you are not prohibited from running them. However, they also present two serious problems: it is relatively easy to create bugs that result in disruption of services to others if run on a time-shared system, and they can present a security threat to the machine they are running on or to others machines on the network. So all CSE users must abide by the following rules, which apply to any machine connected to the CSE network (including wireless).

  1. Do not run a persistent service on a shared machine. When you logoff, so must your service; background/disconnected operation is not permitted.

  2. You may run a service on your desktop machine, or on a research-owned machine, but you are responsible for security and any resulting intrusions, just as if you were the administrator of that system. Your responsibilites include, but are not necessarily limited to, those described for System Administrators and Application Developers on the C&C Security Responsibilities document.

  3. If you do run a service on your machine, you and it must adhere to the UW Minimum Computer Security Standards (see excerpt below). And you must take precautions to write your program and operate your service in a secure fashion (see next section.)

  4. You may not run any of the following services on any machine on the CSE network:

    • SMTP
    • ftp
    • telnet
    • finger
    • IMAP
    • POP, POP3
    • news

  5. Any exceptions must be approved in advance by the CS Lab Director.

UW Security Policies & Minimum Security Standards

The University has adopted a set of Minimum Computer Security Standards. By running a service on some machine, you are a de facto administrator of that service, and these standards apply to YOU. Section 2.1 of those standards contains the following as part of the baseline of "necessary practices":

Disable and/or block all unnecessary network services. For servers, only allow incoming or outgoing traffic essential for the purpose of the server. For desktop or laptop computers: block unsolicited incoming connections by means of host firewall or equivalent network access restrictions.

You should review the C&C page on Computing Security, in particular the section on "Additional safeguards", which describe ways to protect web servers and how to write secure programs.

Last Updated: 4/28/05

CSE logo Computer Science & Engineering
University of Washington
Box 352350
Seattle, WA  98195-2350
(206) 543-1695 voice, (206) 543-2969 FAX
[comments to CS Lab Director]