Skip to navigation content (Press Enter).

Access Control & VPN

Risk

Unauthorized access to systems ultimately leads to unauthorized access to data and information or unauthorized use of systems.

Impact

Data and Information breach may result in the unauthorized disclosure of personally identifiable information, leaving the University exposed to the repercussions of FIPPA, PHIPA or PCI compliance violations.

Controls

Authentication to systems can be controlled is always controllable using username and password combinations.  Where appropriate, access to systems should require two-factor authentication.  Two-factor authentication requires users to provide their username and password as well as one additional piece of information when authenticating to a system.  The secondary piece of information may be challenge-response to a pre-configured personal question or a code from a key-fob.

Authorization to perform actions on systems, data or information should always be granted using the principle of least privilege.  The principle of least privilege ensures that users have access to the services and information that they require to do their job, and nothing more.

Accounting is a valuable tool for monitoring access to resources.  Logging successful and unsuccessful access attempts will help an administrator identify when unauthorized or inappropriate access has occurred.

Recommendations

Control physical access...

  • Restrict physical access to the server using appropriate door locks; swipe card access is preferred
  • Physical access should be granted using the principle of least privilege and authority

Control local access...

  • Local user access attempts, successful or failed, should be logged
  • Use a strong password or passphrase to protect administrator accounts
  • Two factor authentication should be used where appropriate
  • Disable and/or rename default administrator accounts
  • Disable, rename or delete unnecessary default accounts, including but not limited to operating system accounts, remote access accounts, application management accounts, service accounts
  • System BIOS and UEFI interfaces should be password protected; default passwords should be changed
  • Local access should be granted using the principle of least privilege and authority*

Control remote access...

  • Remote user access attempts, successful or failed, should be logged
  • Disable all unencrypted management interfaces (telnet, http, etc.).
  • Restrict access to management interfaces using local access control list(s).
  • Connections to management interfaces from outside of the McMaster University network should always be made through the Virtual Private Network (VPN)
  • Two factor authentication should be used where appropriate
  • Remote access should be granted using the principle of least privilege and authority*

Control network access...

  • Network access attempts, successful or failed, should be logged
  • Access to applications and services should be restricted to only those that require access
  • Two factor authentication should be used where appropriate
  • Network access should be granted using the principle of least privilege and authority*

Service Bulletins

Citrix Receiver Client Update

UTS asks Citrix users to upgrade Citrix Receiver Client to the most current version by February 28, 2017. See UTS Citrix website for installation and removal information.


Mosaic Upgraded Interface

Service Desk

Client Self Service:
https://servicedesk.mcmaster.ca
Hours: Monday - Friday
8:30 am - 4:30 pm
Phone: 905-525-9140 x24357 (2HELP)
Email: uts@mcmaster.ca
Location: Main Campus BSB Rm. 245
Service Catalogue:
http://www.mcmaster.ca/uts
-->

Great Idea Site

Great Idea