Computing is one of many tools used at Fermilab. General policies, written and unwritten, that govern life at Fermilab apply equally to computing. For example, the same rules of ethical behavior apply regarding fraud, forgery, plagiarism, harassment and libel. whether computers are involved or not. However, the ability of modern computers and networks to manipulate, store, and broadcast information is so extraordinarily powerful that it changes many qualitative aspects of how we function in a research laboratory, often in dramatic ways.
Fermilab's Policy on Computing covers all Fermilab-owned computers and any computer, regardless of ownership, when it is connected to our network (and/or showing a Fermilab address). You are responsible for the actions of any person whom you permit to use Fermilab computing or network resources through an account assigned to you. Note that discrete electronic devices that are not on the general network are not considered to be computers nor governed by this policy document. Devices used in Safety Instrumented Systems are covered by requirements listed in the Fermilab Work Smart Standards.
Fermilab’s Computing Policy is a set of mandated user and system behaviors designed to:
Ø operate an effective and efficient computing and networking environment;
Ø maintain an open environment supporting global collaboration and innovation and free exchange of scientific information;
Ø guard the laboratory’s reputation and protect its computing systems, data, and operations against attacks and unauthorized use;
Ø ensure compliance with all applicable mandates, directives and legal requirements for computing.
The Computing Division has been assigned the responsibility for the laboratory’s computing and networking infrastructure. Complete details of the various policies can be found by following the appropriate links at https://security.fnal.gov/Policies which are maintained by the Computing Division.
Policies Governing Personal Conduct
All computer users are required to behave in a way that maintains the security of the laboratory computing environment. In particular, unauthorized attempts to gain computer access, to damage, alter, falsify, or delete data, to falsify either email or network address information, or to cause a denial of computing or network service are forbidden. Laboratory computers should only be used for laboratory business with exceptions made for limited incidental use consistent with the computing policy on prohibited activities.
The following activities and uses are explicitly NOT permitted:
Ø Legally prohibited activities;
Ø Activities that reasonably offend other employees, users, or outsiders, or results in public embarrassment to the laboratory;
Ø Activities in support of an ongoing private business;
Ø Up- or down- loading or viewing of sexually explicit material.
Ø Computer usage that is not specifically approved and which consumes amounts of computer resources not commensurate with its benefit to the laboratory’s mission or which interferes with the performance of an employee’s (or other computer user’s) assigned job responsibilities;
Ø Violation of license and other computer related contract provisions, particularly those that expose the laboratory to significant legal costs or damages.
Not explicitly prohibited but likely to get you into immediate trouble through embarrassment to the laboratory are all activities on newsgroups, auctions, game sites, etc. that are not clearly Fermilab business, all such Internet activities that are in competitive and/or contentious environments (e.g., auctions, political news groups, etc.) and using your computer to act as a public server of music or other media unrelated to our mission.
Questions of proper or improper use of computers are normally management rather than computer security issues and should be handled in the normal course of supervisory oversight.
More details about the lab’s appropriate use policy can be found in the Guidelines for Incidental Computer Usage lined at https://security.fnal.gov/Policies/Guidelines.htm
You are required to immediately report any suspected computer security incidents to 630-840-2345, or, if immediate response is not required, to email@example.com. Fermilab Incident Response (FIR) investigates incidents. Incident Response may assume full administrative control of affected systems until the incident is resolved, call on other experts for priority assistance and direct local system managers’ response to the situation. Nothing must be done to the system before Incident Response has a chance to examine it. You must not disclose information regarding a computer security incident without authorization.
All users must comply with laboratory policies dealing with information categorization and protection, in particular with protecting personally identifiable information (PII). Details of these procedures are at https://security.fnal.gov/Policies/PII%20Procedures-final-clean.htm
Users (“data owners”) are responsible for determining what data requires protection and how their data is to be recovered if the online copy is destroyed (either by accidental or malicious damage). They may choose not to back up data, but if so they must make sure they know how to recreate the lost data if needed. If backup is necessary then the users must coordinate a backup plan. This may either be an individual backup done by the users themselves or coordinated with the system managers into a regular system backup plan.
All computer users must participate in periodic security training. System administrators will receive more advanced training.
Fermilab respects the privacy rights of all employees and visitors, and will not look at any individual’s private computer files without authorization from the lab director or designee except in a computer security emergency. Note that this policy does not apply to files in areas that formerly belonged to personnel who no longer maintain their previous association with the laboratory. In this case the file ownership is assigned to the person’s former supervisor for appropriate disposition. In addition, it should be remembered that by connecting any computer to the lab network or using the Fermilab assigned names or IP addresses, the individual has waived their privacy rights with respect to the Department of Energy (as stated in the logon banner present on all lab machines), and even personal or university owned machines are subject to confiscation in a DOE Inspector General investigation.
Policies Governing Computing Systems
All devices attached to the lab network must be registered and have a registered system administrator with an up-to-date email address. The system administrator is the individual responsible for applying security patches to the device and choosing system configuration.
Visitors will be given an opportunity to temporarily register their machines when they first request a DHCP address by connecting to the lab network. They will be granted access unless a critical vulnerability is detected on their computer (see https://security.fnal.gov/CriticalVuln/index.html). In that case they will need to physically take their machine to the help desk in Wilson Hall (where an offsite network connection is available to allow them to patch their machine) or mitigate the vulnerability in some other manner.
System owners are required to perform an annual risk assessment for their machines using the procedures documented at:
This task is ordinarily delegated to the primary system administrator and requires performing a security scan, verifying that all offered network services are necessary, and understanding the residual risk inherent in the system configuration.
Virus Protection, Patching and Configuration Management policy
All lab Windows computers or computers offering Windows file shares must have enabled virus scanning software and must have a plan for applying security patches and updating virus signatures. Machines in the Fermi Windows domain satisfy this requirement, as do those subscribing to one of the lab SMS servers; for other devices users must supply documentation of how this requirement is met. The full aniti-virus policy is given at
Computing systems should be running recent and supported versions of operating systems, regardless of network connectivity, as specified in the lab configuration management policy and listed baseline configurations that can be viewed at:
It is recognized that in some circumstances it may be necessary to continue to run an obsolete operating system (for example, to avoid breaking software applications). In those cases the user of such systems must document the reasons why the system cannot be brought up to date and must document how the system is protected to provide the same level of security as provided in baseline configurations. In addition, certain services (such as web servers) cannot be offered on such obsolete systems.
The Fermilab Computer Security Coordinator (FCSC) may declare, when deemed necessary for protection of Fermilab computers and users, that certain configurations are considered to be a Critical Vulnerability. This designation and the corresponding corrective action will be publicized widely in email and at the link below. You are required to take immediate action to remove Critical Vulnerabilities from systems under your control. Failure to comply will result in the system being blocked from network access. The current list of critical vulnerabilities can be seen at:
It is expected that computer users will practice “least privilege required”, in particular only using administrative or root accounts for limited periods of time when conducting activities that require such privileges.
Services that would create a significant security risk or would interfere with the operation of site computing or networking infrastructure can only be operated by systems authorized by the Fermi Computer Security Coordinator (FCSC).
For example, the following network services may only be implemented by the Computing Division:
§ Routing and bridging, unless exempted.
§ Tunneling, except tunnels with a single source or destination for purposes of mobility or security.
§ All forms of off-site network connection except modems.
§ DHCP servers.
§ Wireless access points
§ Assignment of IP host names and addresses. (Use of automatic configuration mechanisms provided by the lab networking, such as DHCP, are not restricted.)
§ DNS zone mastering and all externally-reachable DNS service.
§ NTP time service at stratum 1. (Stratum 2 server operation is discouraged.)
Specific waivers from these restrictions must be requested in writing to firstname.lastname@example.org and may be granted only by the network manager or the FCSC. Waivers granted to non-Fermilab employees require the concurrence of the CSExec.
The following services are also examples of restricted services. Exceptional approval for professionally managed workgroup-local implementation will be considered by the FCSC.
§ Externally-reachable or onsite email servers, including SMTP, POP and IMAP.
§ Kerberos key servers.
§ Active directory servers
§ VOMS, GUMS and SAZ servers
Furthermore, externally visible web services, including project and personal web pages, should only be offered on one of the central lab web servers. If necessary, a user can request permission to run a private web server by use of the request form in the Service Desk Service Catalog.
This will require up-to-date security scans demonstrating that the proposed web server runs on a secure machine. Web traffic to other-than-registered servers will be blocked at the site border.
Externally visible Globus gateways must also be registered and approved before being put into operation, and will normally be restricted to the Open Science Enclave.
Care must be taken with web content on both private and central servers. Owners of web pages are responsible for any posted content, and are required to institute procedures (e.g. authentication) that will discourage posting of dangerous or embarrassing content. Use common sense in displaying links on pages with Fermilab addresses. Web crawlers (Yahoo, etc.) index all pages they can see. Even accidentally inappropriate wording may be indexed. You can direct web crawlers to ignore pages that you do not need to be found through search engines. See https://computing.fnal.gov/web/publish/access.html. Semi-official pages and pages intended for the public are required by the DOE to carry a notice. Include a link on each such page to https://www.fnal.gov/pub/disclaim.html
A complete current list of restricted services can be found at https://security.fnal.gov/Policies
All applications, other than those intended for the general public, must support appropriate levels of authentication and authorization. In particular, any systems allowing arbitrary program execution or data transfer require authentication consistent with computing authentication policy at https://security.fnal.gov/Policies/AuthenticationPolicy.htm, currently either a Kerberos principal (account) for use of general lab computing resources, or a PKI certificate for use of grid computing resources. You will need to understand how to authenticate yourself through proper use of your credentials before being able to use lab computers. The Authentication Policy document also gives the current lab regulations on use of passwords.
You must not allow anyone else to know or use your Kerberos password. Do not use your Kerberos password for other than Fermilab Kerberos. Do not transmit Kerberos passwords across the network. In the rare circumstances where transmitting a Kerberos password is necessary, it must be strongly encrypted. Never store Kerberos passwords (or the corresponding character strings) on a computer, encrypted or not.
Any remote login or general file transfer services in the General Science Enclave that are visible from outside the Fermilab network must be configured so as to require Kerberos authentication (or an exemption must be requested). See https://security.fnal.gov/StrongAuth for more details. Configuration rules for Kerberos-protected systems must not be circumvented. Similar services in the Open Science Enclave must be configured to require appropriate grid certificates.
Individuals who violate this policy will be denied access to laboratory computing and network facilities and may be subject to further disciplinary action depending on the severity of the offense.
Computing systems with critical vulnerabilities, that exhibit unusual network behavior typical of hacking activity, or are otherwise in violation of this policy will be blocked from network access until the condition is mitigated.
Employees and users of Fermilab computing are reminded that it is Fermilab policy to respect the intellectual property rights of others. This applies when computers are involved just as it does when computers are not involved. Fermilab expects license provisions to be followed.
It is Fermilab policy to avoid reliance on a computer as an essential element of any system that is necessary to protect people from serious harm, to protect the environment from significant impact, or to protect property the loss of which would have a serious impact on our mission. The use of computers for monitoring, data logging, and reporting is encouraged, however computers used for these purposes must not be essential for protection. Contact the Fermilab Computer Security Executive for any variance.
Further details on the various policies referred to here can be seen by following the links at:
Mar 11, 2011