Using Unix at work as a Desktop

Print Friendly, PDF & Email

In the University we have a number of individuals who opt out of the standard Windows desktop supplied by the University and go for an alternative Unix derivative. This includes:

  • Linux – Ubuntu, Fedora, Red Hat Enterprise Linux Workstation, CentOS, Debian, Gentoo, etc…
  • BSD – Mac OS X,¬†FreeBSD, NetBSD
  • Solaris – Solaris, OpenSolaris???

At ILRT it seems the most popular is Ubuntu.

(Un)Official Rules

Here are a few things to remember and the (un)official rules established by ILRT senior management and support personnel.

A desktop computer includes any type of computer that acts as a user interface to internal and external services, including:

  • Desktop computer or workstation
  • Laptop, notebook, palm.
  • Mobile phone, smart phone.

The desktop is still considered to be managed centrally except that the rights to the individual are extended. Opting out of Windows does not make the individual exempt from University security and use of computers policy. If you have decided to extend your administrative rights over your machine remember with power comes great responsibility! Please, be aware of the central University policy on the use of desktops and the investigative powers granted to administrative staff to make sure that these policies are complied with.

Policy

The following is an augmentation of central policy which has been set out for ILRT staff wishing to run Unix as a desktop:

  1. Administrative access must be given to a senior member of ILRT technical support group. Normally this means adding a posix account and granting that user sudo rights.
  2. A network based firewall (such as iptables/netfilter) must be configured and running at all times whilst connected to the network. All access except tcp port SSH and ICMP ping must be set to closed and a default deny all policy must be in place.
  3. Under no circumstances should any externally accessible network services (such as a web server or windows samba share) be enabled. Centrally maintained and allocated equipment should be used instead. Development instances can be run as long as the service is configured to listen on localhost. Protecting it with a firewall alone is not adequate protection. These services should not be available even in the event of a firewall failing to run.
  4. All packages installed on the desktop OS must be monitored and maintained on a regular basis to ensure security patches are applied. We suggest that at least once a week new updates be applied to the desktop.
  5. No data containing personal or sensitive information whether belonging to the University or the client with the University designated as the Data Controller or Processor should be stored on the computer. Centrally allocated equipment must be used instead. (If required sensitive data can be excluded from being backed up centrally.)
  6. A centrally managed backup of the desktop must be taken on a daily basis. This is because in the past, development took place on desktops and on occasion work was lost when disks failed. This happens less often now but is still a policy. Personal and or sensitive data should be excluded from the backup were applicable to avoid data protection issues.
  7. Authentication information should be maintained to a strong level. No user accounts for non-University staff should be added and access to the desktop or the University network should not be granted without first consulting technical support staff.

The Future

There are considerations that all Unix desktops be centrally managed like Windows desktops are currently. This may make things easier for the user in that they will not need to worry about points 1,2,4, 6 and 7 above as they will be configured automatically. Further restrictions like the inability to freely install software may be considered to hinder usage. These points will be discussed in full with the ILRT Infrastructure Group, ILRT senior management and central security personnel before it is implemented.