ban3.gif (7130 bytes)

POLICY ON COMPROMISED SERVERS

The primary concern in such a situation is to prevent the compromised machine from doing additional damage, either to its own system and files, or to the rest of our network. The second priority, also of urgency, is to restore the compromised machine to functionality in a timely manner.

The recommended procedure for dealing with a compromised system is:

    1. Determination that a server has been compromised ("hacked"):
      1. By the user:  Report the incident to the MSIS office if you believe that your system may have been hacked.  MSIS can implement additional monitoring of your system.
      2. By MSIS:  The School of Medicine network operator monitors the network for unusual network traffic that can indicate that a computer has been compromised. In the event that such behavior has been detected, MSIS will notify the responsible operator of the computer to discuss the problem.
    2. If the MSIS Network Supervisor determines that computer has been compromised, he is empowered to disconnect the system from the network.
      1. Initially request that the system owner unplug or disable the network adaptor on the system.
      2. If the system owner is unreachable, block that system's network communications.  This can be done via firewall, router or physical disconnection from the network.
      3. If the owner is unresponsive, block the system's network communications.
    3. If applicable, backup important data.  The owner is responsible for system backups and MSIS cannot assure data protection.  MSIS will attempt to perform an emergency backup of the system.
    4. Reinstall the OS from original media.
    5. Change root password and all other user passwords.  This can be performed by the system owner with the assistance of MSIS.
    6. Apply security measures to prevent future break-ins.
    7. Rebuild or restore applications and data.
    8. When the MSIS Network Supervisor determines that computer has been repaired, he will reconnect the system to the network.
    9. MSIS will attempt to assist in the installation of other applications but provides no guarantee of success.  It is highly recommended that the system owner maintain software support for any special applications.

Approved by the Faculty Information Technology Committee, January 8, 2002, and ratified by the Executive Committee of the Faculty Senate on January 10, 2002