Net Use Policy
NetWare Administration and Security
July 27, 2005

        I.            Introduction:

Ferris State University takes data security very seriously. The following standards have been developed to maintain NDS network security and protect the assets of the University.

     II.            Novell Network Directory Services (NDS) Administration

Netware has various levels of authority for administration of the system. At Ferris State University, the system has been designed with two levels of administrative authority, and the persons who have this authority are called Tree Administrators.

Definitions & Responsibilities of Administrators

  1. Follow guidelines in the "Proper Use of Information Resources, Information Technology, and Networks Policy" Business Policy Letter 96:07
  2. Tree Administrator - The Tree Administrator manages and is responsible for the entire FSU NDS Tree, including its file systems. There will be up to three Tree Administrators. This group of three must
    1. Be full-time, professional staff with at least one month of employment at the university.
    2. Consist of two individuals from IS&T, and one individual from one of the other three managing areas (ATS, SATS, & TAC).
    3. Be approved and reviewed annually by the information Technology Managers and reviewed by the CTO.
    4. Be C.N.A. certified. Certification will be required for every other Novell product version used in production of FSU's Novell Services. Four 3 hour sessions of new version focus discussion will be required on alternate versions (Minimum).
    5. At least one person from each of the managing areas will be included on tree organization and restructuring when needed.
  3. Sub-tree Administrator - Must be full-time, professional staff with at least one month of employment at the university. The Sub-tree Administrator manages all Organizational Units (OUs) supported by the technical areas. Except for Kendall College of Arts and Design, Sub-Tree Administrators will be full-time or part-time adult employees of a department within IS&T. Technology Services managers or ATS, SATS, and TAC will determine the number and access levels of Sub-Tree Administrators for their respective areas. A list of Sub-tree Administrators will be maintained by the Tree-Administrators.
  4. Both Tree Administrators and Sub-tree administrators are responsible for mutual communication concerning the operation of the Ferris State University NDS Tree.  

   III.            Security Guidelines

    1. NDS ADMIN ID
      1. The ADMIN ID has the highest level of authority within the NDS Tree structure.
      2. The Director of Technical Services and the Data Security Officer will maintain knowledge of the password for the NDS ADMIN ID. This will be accomplished by delivery of the password by hand in a sealed envelop by an IST Tree administrator. This will assure availability and confidentiality of the password in the event a Tree Admin is unavailable and it is deemed necessary to modify objects at the O=organization level of the tree. The ADMIN ID password will only be made available to the Technical Managers.
      3. The ADMIN ID will be used in the case of an emergency and only when the Tree Administrator IDs cannot perform a specific function. At other times than "normal," such as late night emergencies, the Tree Administrators will change the password to perform the necessary work and notify the Director of Technical Services and Data Security Officer via a secure method of the new password.
      4. If the password for the ADMIN ID is changed or compromised, the Director of Technical Services and Data Security Officer will be notified. The Tree administrators will be responsible for establishing a new password.

                             B.            Tree Administrators

Each of the Tree Administrators will have their own ID and password, with root access. (i.e., Supervisor rights will be explicitly granted at the root; "Security Equal To" will not be used).

These IDs need to be in a secure location in the tree.

    1. Sub-tree Administrators
      1. Each of the Sub-tree Administrators will have their own ID and password that will have supervisor rights explicitly granted ("Security Equal To" will not be used).
      2. Trustee assignments for each Sub-Tree Administrator (or group) will be granted at the technical area directory NDS parent structures. Those technicians who do not appear on the Sub-Tree Administrator list shall receive trustee assignments below this level.
    2. All NDS Tree and Sub-Tree administrative passwords must be:
      1. A minimum of eight characters in length
      2. Changed every 30 days
      3. Kept in a secure location
      4. Used only by the persons to whom they are assigned
    3. The NDS auditing function is important to ensure the security of the NDS system and will be activated wherever and whenever feasible.

  IV.            Change/Emergency Procedures

Updates and changes to all network servers and/or the NDS Structure must follow the approved Change Management Process.

    1. The Tree Administrator will monitor the operation of individual servers and Organizational Units, and if a server or Organizational Unit is disruptive to the stability of the network and/or the NDS Tree, the Tree Administrator will initiate corrective action. In the event that it is necessary for a Tree Administrator to make a change to an individual area, that Change Management process will include Sub-Tree administrators from affected areas as Peer Reviewers.
    2. Frequent communication between the Tree Administrator(s) and the Sub-Tree Administrator(s) concerning the modification and evolution of the NDS Tree must take place.
    3. Changes made between Organizational Units (e.g., , granting rights outside an Organizational Unit) must be a joint effort between the areas involved.

     V.            NDS Remote Access

Remote access enables access to a file server from a remote location. In order to ensure appropriate use of this capability, the following guidelines must be followed.

    1. Remote access will be auto-loading on every server in the FSU NDS Tree.
    2. The Sub-Tree Administrators will maintain the passwords for Remote Access for each server according to the Security Guidelines for all passwords (see III. above). The Remote access passwords will be made available to the Tree Administrators only except in cases where non-Tree Administrators need access to the server console to support certain applications hosted by a particular Novell Server.

  VI.            Access to Student Accounts (STU.FSU)

Student network accounts on the NDS Tree have been designed to reside under a single Organizational Unit entitled STU. The following guidelines should be used to ensure the integrity and efficient operation of the STU.FSU Organizational unit.

    1. The Sub-Tree Administrator(s) of the STU Organizational Unit will sanction creating, deleting, moving accounts. Only the Sub-Tree Administrator(s) of the STU Organizational Unit will grant additional storage space for any IDs in the STU OU.