Enterprise IT Standards and Procedures
Technology Management Standards
Policy: Technology Management Policy
Document: Technology Management Standards
Campus: MSU Bozeman
Revision: 1.3
Contact: Ryan Knutson, Chief Information Officer
rknutson@montana.edu
These Standards establish minimum guidelines for management of devices connecting to MSU’s network as outlined in the University Technology Management Policy (http://www.montana.edu/policy/enterprise_it/technology_management.html).
Operating System Requirements
Devices connecting to the University network must be using a supported operating system for which security updates are still being released by the manufacturer.
Examples of where Information on supported Macintosh, Microsoft, Linux and other server
operating systems can be found below:
• Apple: https://support.apple.com/en-us/HT201222
• Windows: https://support.microsoft.com/en-us/help/13853/windows-lifecycle-
fact-sheet
• RHEL: https://access.redhat.com/support/policy/updates/errata
Software Maintenance Requirements
Software installed on University computers or attaching to the University wired or
wireless network should be up to date with vendor supported patches.
Examples of where Information on supported software can be found below:
• Microsoft: https://support.microsoft.com/en-us/lifecycle/selectindex
• Java: http://www.oracle.com/technetwork/java/eol-135779.html
• Adobe: https://helpx.adobe.com/support/programs/eol-matrix.html
• Red Hat: https://access.redhat.com/support/policy/update_policies
Desktop/Laptop/Workstation Requirements
The following requirements apply to all MSU-owned desktop, laptop, and workstation computers.
- All Operating Systems
- New devices must be configured by UIT or an approved delegate thereof.
- OS and application patches must be managed by UIT .
- Computers may be restarted during defined weekly maintenance windows (Thursday mornings).
- All installed applications are subject to UIT approval, and must be supported by the vendor and receive updates.
- Computer hardware must be supported for firmware security updates.
- See https://www.montana.edu/uit/file-storage/security-grid.html for approved storage locations as primary long-term storage of most university data is not permitted on endpoint computers.
- Least privilege is applied to all devices. UIT reserves the right to limit administrative activity on university owned equipment.
- Windows Computers
- Must run an MSU supported Windows Enterprise OS for which patches are regularly released.
- Must be joined to MSU Active Directory and use university assigned user credentials
- The following software must be installed
- System management: Ivanti
- MFA: Duo RDP
- Antivirus: Microsoft Defender for Endpoint (MDE) for Windows
- Remote support: Beyond Trust Jump Client for Windows
- MacOS Computers
- Must run an MSU supported MacOS for which patches are regularly released.
- The following software must be installed:
- System management: JAMF
- Antivirus: Microsoft Defender for Endpoint (MDE) for Mac
- Remote support: Beyond Trust Jump Client for MacOS
- Linux Computers
Note: UIT’s technical support for Linux operating systems will be on a best-effort basis and may be limited.
- Must run an MSU supported version of Ubuntu, Fedora, Rocky, or Alma Linux operating system for which patches are regularly released.
- Must be joined to MSU LDAP or Active Directory and use university assigned user credentials.
- The following software must be installed:
- System management: Puppet
- MFA: Duo Unix for SSH
- Antivirus: Microsoft Defender for Endpoint (MDE) for Linux
- Remote support: Beyond Trust Jump Client for Linux
- Devices that do not meet these standards are subject to being removed and blocked from MSU Networks.
- Exceptions to these requirements may be approved on a case-by-case basis by the CIO or a designated delegate thereof.
Server Requirements
The following requirements apply to all MSU servers including production, test, development, and research servers:
• Must be managed by UIT system administrators
• Must be hosted in UIT datacenters or on UIT approved cloud services
• Must run a supported OS for which patches are regularly released
• All installed applications must be supported and regularly patched
• Where compatible, the following software must be installed:
- Microsoft Advanced Threat Protection
- Duo RDP/SSH
- Qualys
• Updates and vulnerability mitigations must be applied in accordance
with the vulnerability management standards
• Must be entered in the MSU Server Inventory system
• The following access controls must be implemented and maintained:
- Minimally permissive host firewalls
- Remote access restricted to appropriate VPNs
- Duo MFA protection (may be exempted on a case-by-case basis
by UIT Security)
- Login restricted to appropriate tier(s), per MSU’s tiered
access model
- LogRhythm access to system logs
• Where compatible, production MSU servers are to be backed up with a
UIT approved backup protocol
• Server hardware must be supported for firmware security updates
• Any storage of controlled or restricted information such as PII, CUI,
etc. must be approved by UIT and managed in accordance with the applicable additional
standards
• The purchase of any new servers or server applications must be approved
by UIT
• When a server is decommissioned, data must be securely erased per DOD
standards (physical systems) or properly deleted (virtual systems) and the system
must be removed from
or marked as decommissioned in all relevant integrations and documentation
(firewall exceptions, server inventory, DNS, Qualys, etc.)
• Exceptions to these requirements may be approved on a case-by-case
basis by the VP/CIO or a designated delegate thereof