[ skip to content ]

More Information about this image

Handbook and paperwork for the newly hired.

Old Dominion University

Information Technology Standard

06.13.0 Desktop Management Standard

Date of Current Revision or Creation: December 1, 2022

The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

  1. Purpose

    The purpose of this compliance standard is to define the management of desktops on the University network, to enhance the desktop security, to safeguard the network against attack, and to establish a minimum set of standards for the management of University owned desktop computers.

  2. Definitions

    Cached Data is data that has been duplicated from the original and stored elsewhere for future use.

    Cached data is useful in lowering access time.

    Desktop environment is the term for the unifying concepts used by graphical user interfaces in operating systems. At ODU Microsoft Windows and Apple MacOS are the prominent operating environments and the University supported applications that reside in those environments.

    Mobile code is software obtained from remote systems, transferred across a network, and downloaded and executed on a local system without explicit installation or execution by the recipient.

    ITS is the acronym for the official name of Information Technology Services.

    Portable computers are any small portable mobile personal computer; including laptops, tablet PC's and notebooks.

    Virtual desktops are any Windows operating systems that are not installed on a physical desktop and accessible through the thin client computers or MoVE (Monarch Virtual Environment) at ODU

    Technical Support Professionals (TSPs) are University employees with daily operational responsibilities for the desktop system support and administration.

    User includes anyone who accesses and uses the Old Dominion University information technology resources.

  3. Standards Statement

    System Administration

    Technical Support Professionals (TSPs) and departmental system administrators must possess and maintain knowledge of practices and procedures in the range of systems and platforms, which they support. Support providers have a critical responsibility in minimizing risk to the desktop computing environment. System administrators and TSPs should work in cooperation with ITS Security Operations to foster secure practices and to respond to security events.

    Documentation

    System documentation is highly recommended for all centralized Windows based desktop system images. Systems should be configured and operated using documented procedures in a manner most effective to provide information security. Documentation should be current, maintained in a central location and accessible to staff. The level of documentation should be sufficient to:

    • Provide guidance to reestablish the environment in the event of a disaster.
    • Prevent a dependency on a single key staff member.
    • Provide serial numbers or license keys needed for installation and vendor support.
    • Test procedures to minimize downtime when changes occur.
    • Transmit knowledge to others.

    Operational audit logs should be configured and verified immediately on initial system setup. Audit logs are to be maintained on a best effort basis equivalent to 120 days. Wherever possible, controls and activity auditing should be implemented over the use of utility programs that may provide users the ability to override existing system and application controls.

    Controlling Access

    Access to some operating system commands (such as supervisory reset commands) is restricted to those who are authorized to perform systems administration / management functions. Such restrictions should normally be handled with group membership or a different technical control, such as requiring local administrative rights or using an access mechanism such as RunAs.

    Updates

    Operational changes (such as service packs, updates, fixes, patches, upgrades to software or operating systems) are to be tested for compatibility and released based on a schedule determined to be the least disruptive and most effective for the environment. Patches and updates are obtained only from reputable sources. Desktops should be maintained at appropriate security levels. Desktops should configured to utilize the centrally managed automatic updates service maintained by ITS or by the vendor. Updates provided on the ITS update service are authorized by the ITS Executive Director, Client Services.

    Hardening Operating Systems

    Desktop operating systems should be initially hardened before they are deployed and regularly monitored. Hardening standards for the Microsoft Windows 10 and macOS platform are established and available to system administrators.

    Physical Access

    Physical access to desktop systems should be limited. Lock and key mechanisms should be used wherever possible.

    Remote Access

    Remote access to desktop systems is limited to the device owner and is configured by the Desktop Support Group. Once enabled, users may connect to the device remotely while connected to the ODU VPN Service.

    Time-out and Screen Savers

    A time-out facility should be configured on all desktops to ensure that the screens are cleared and unauthorized access is prevented after a maximum time of inactivity. The recommended maximum idle time is 45 minutes. Screen savers should be password enabled. The installation of nonmanufacturer supplied screen savers is not recommended.

    Log-on and Password Protection

    Secure log-on procedures are implemented to ensure that access to operating systems and applications are securely maintained. Passwords may not be stored or transmitted in the clear. The highest feasible form of account/password credentials security shall be configured at the operating system level. Log-on requirements are provided below.

    • Do not display system, previous user, or application identifiers until the log-on process completed.
    • Warn that the computer should only be accessed by authorized users and that usage implies consent to monitoring.
    • Do not provide help messages that leak information during the log-on procedure through a prompt or a customized desktop background image. Validate the log-on information only on completion of all input data against a reliable information source.
    • Do not display the password being entered.
    • Do not transmit passwords in clear text, rather opting for 128 bit or higher encryption using a well established encryption methodology.
    • Users should always screen lock their systems or logoff when they will be away from the computer for an extended period (greater than 10 minutes).
    • Users should logoff or lock their system at the end of the work day

    Mobile Code Control

    Mobile code can be used to send malicious code by the Internet and safeguards must be implemented. Users are required to have the current University approved antivirus software or endpoint protection installed and enabled. Web browsers should not be configured for a "low" security setting for other than trusted (known) web sites. Web browsers should be configured only to accept code that comes from a reliable source, such as a digitally signed ActiveX control or a signed Java applet.

    Cached Data

    Cached data is to be deleted regularly to prevent misuse by possible unauthorized users. Users with access to confidential or sensitive data may be required to automatically configure cached data for automatic deletion. Microsoft OneDrive and Google Drive can be configured to make files available "On Demand" so as to minimize the presence of cached data on devices. Files can also be stored on ODU network share drives accessible via the ODU VPN service.

    Portable computers

    ODU owned portable computers are subject to the same management standards as desktop systems with the additional requirement for disk encryption service enabled by a University approved solution.

    Virtual Desktops

    The desktop support group makes available virtual desktops via the MoVE (Monarch Virtual Environment) for students and faculty and staff. Thin client computers for Faculty, Staff and Students and are subject to the same standards as desktop systems.

  4. Procedures, Guidelines & Other Related Information

    Federal and State Law

  5. History

    Date

    Responsible Party

    Action

    December 2006

    ITAC/CIO

    Created

    February 2007

    ITAC/CIO

    Reaffirmed

    February 2014

    IT Policy Office

    		 Minor rewording for clarity
    December 2017 IT Policy Office Minor rewording for clarity
    December 2020 IT Policy Office Minor rewording for clarity
    December 2022 IT Policy Office Minor rewording for clarity

Contact

IT Project Management

IT Project Management coordinates the efforts and resources of ODU ITS to produce effective, quality solutions for the University's students.

Student Computing

Faculty & Staff Computing

Site Navigation

Experience Guaranteed

Enhance your college career by gaining relevant experience with the skills and knowledge needed for your future career. Discover our experiential learning opportunities.

Academic Days

Picture yourself in the classroom, speak with professors in your major, and meet current students.

Upcoming Events

From sports games to concerts and lectures, join the ODU community at a variety of campus events.