Operating Systems Support Policy

Revised: 28-February-2007


Goals

The Operating Systems Support Policy defines a set of standards that balances software and hardware choices with the costs involved in the administration of those choices, and with the security requirements of the division and organization.

This policy makes references to the terms "Primary Systems Administrator" and "Responsible Systems Administrator" defined by the ACOM Responsible Sysadmin Policy.

Desktop and Server Operating Systems

Desktop operating systems are for systems deployed for the use of individual staff members in ACOM. They do not offer network services except for those configured and assigned by Primary System Administrators. A desktop computer may be a fixed platform such as a PC or Macintosh, or it may be a removable host such as a notebook computer. A virtual host is also considered a desktop computer.

Servers provide one or more network services, usually have multiple logins, and are by nature specialized in order to perform the functions for which they were acquired.

Certification for Use on a UCAR network

A system is certified for use on a UCAR network if all of the following conditions are true:

  • There is an identified Primary System Administrator who is responsible for the system. Remote access and control over configuration must be granted to identified Primary System Administrators.
  • The system runs a supported Desktop Operating system.
  • The system is in compliance with UCAR security standards and policies outlined by the UCAR Computer Security Policies.
  • The system has not been identified as a risk to the division or institution as a result of an identified security compromise.

Certification of a supported Desktop or Server operating system may be made by a Primary System Administrator. Certification of an approved excepted Server or Desktop operating system may be made by the head of the ACOM Computer Systems group.

Supported Desktop Operating Systems

The following operating systems are currently fully supported in ACOM. "Fully supported" means that Primary System Administrators have complete access, administrative duties over, training and expertise for, and responsibility over systems running these operating systems. As long as there is a designated primary system administrator for such a system, it may be attached to the ACOM or UCAR networks. Operating systems approved for:

  • Windows XP Professional
  • Windows Vista Business or Vista Enterprise
  • Mac OS X 10.4 or newer
  • Current version plus one prior version of Fedora Linux. For example, if Fedora 6 is the current version, support is offered for version 5 as long as the developers provide timely security and application updates for the prior version.

Once the Systems Staff has installed an operating system, it may be necessary to maintain that operating system to ensure a well-working, compatible, and secure computing environment. Through direct or automated methods, Primary and Responsible System Administrators may apply updates, patches, security fixes, print driver updates, etc.

Supported Server Operating Systems

Supported Server Operating Systems include all operating systems defined among the supported Desktop Operating Systems in the previous section. Additionally, specialized operating systems may be certified including:

  • Current version of AIX, Irix, SuSE Enterprise, Redhat Enterprise, or CentOS, plus the prior version of these operating systems for as long as patches and updates are made available by the vendor.
  • Windows 2003 server or the forthcoming Windows Longhorn server.

These additional operating systems are managed by Primary System Administrators and fall within their scope of expertise. They are allowed on server platforms in secure computing room environments only.

Exceptions allowing support of additional Server or Desktop Operating Systems

Exceptions to the Desktop Operating System may be allowed on the basis of scientific or technical need. The head of the ACOM Computer Systems group may grant certification to such an exception as long as the exception does not present a violation of other divisional or organizational standards, policies, and procedures. For example, a legacy operating system such as Windows 98 will not be allowed to be an exception because it would be considered a legacy host according to the UCAR Legacy Hosts Policy. A Unix variant may be allowed as an exception if it can be patched updated, closely monitored, and managed. In order for the Unix variant to be allowed as an exception, the host running the variant may be subject to these additional rules:

  • To be certified for use on the ACOM or UCAR network, only the current version of the OS must be on the system. For example, if Redhat Enterprise 5 is the current version and the host is running Redhat Enterprise 4, the host must be considered a legacy host.
  • A security plan must be written for the system and approved by the head of the ACOM Computer Systems group, the person(s) in charge of the excepted system, and the supervisor of the person(s) in charge of the excepted system. The plan must account for ongoing software maintenance, patches, firewall rules, allowed services, configuration management, monitoring, incident handling, and upgrades of the excepted system.
  • The excepted system must still abide by all of the ACOM and organizational policies and procedures governing the security of the system. Configuration of security-related configuration may be required by cfengine rule or performed regularly and manually by a primary system administrator.
  • System logs of the excepted system must be sent to a divisional and/or organizational log.

 

Automated configuration management

Where possible, supported operating systems within ACOM are managed with automated configuration management tools including deployment tools (Windows Deployment Service, Linux "kickstart") and ongoing software management tools (Windows Group Policy, Linux/Mac cfengine).

The use of these tools for ensuring compliance with ACOM and organizational OS standards is the discretion of the ACOM Primary System Administrators. The alternative to the use of these tools is the ongoing "hands on" approach of interactively managing OS and software configurations so that the same goals are achieved.

All OS installs are are replacement installs rather than upgrades. That is, a partition in which an operating system exists is reformatted, and a fresh install of that operating system is applied. So user best practices include:

  • Use packages when they are available.
  • Let the Systems Staff know of any additional RPMS (Redhat Package Modules) which you have applied to your system.
  • Do not place files in the system partitions (/, /etc, /usr, /var, /tmp, etc.). Most users should place files in /home.
  • Be sure to back up your home directory data to prepare for when a hard disk crashes.
  • Primary System Administrators may recommend a reformat/reinstall rather than a complex troubleshooting procedure to resolve certain problems. Be prepared to install any additional applications beyond the base install offered by the ACOM Computer Systems staff.

 

Microsoft Windows OS installs

Microsoft Windows Vista Business (or Enterprise) and Microsoft Windows XP Professional are the supported Microsoft Windows operating system within ACOM.

Once we have installed or upgraded a Windows operating system, we generally apply the following additional software:

  • Microsoft Internet Explorer update
  • Firefox (latest)
  • Thunderbird email (latest)
  • Adobe Acrobat (latest)
  • WinZip
  • Domain based time synchronization
  • VNC (allows us remote access to your system)
  • Meeting Maker
  • Printer Drivers

A Primary System Administrator can also help configure Thunderbird to be your email agent. In addition, we can install any commercial software for which you have a legal license.

Microsoft Office

We make an attempt to support Microsoft Office at a consistent level among the systems in ACOM. The currently supported versions are Microsoft Office XP (being phased out) and Microsoft Office 2007 (being phased in). The Macintosh equivalents are Microsoft Office 2004 (being phased out) and Microsoft Office 2008 (planned to phase in).

OpenOffice is provided on all Fedora Linux systems installed by the ACOM Computer Systems group.

Antivirus

We make an attempt to support Antivirus and Antispam technology with consistent products among the systems in ACOM. For both Windows and Macintosh users, that version is Symantec Antivirus Corporate Edition. The use of an alternative antivirus technology may be allowed but must be approved by a Primary System Administrator. All Macintosh and Windows users must use antivirus technology and perform daily checks for signature updates.

Purchasing

The CSC (Divisional Computing Support) budget will purchase operating systems licenses and upgrades for PC computers as needed. Only Windows XP Professional or Windows Vista Business licenses will be purchased at this time. The CSC will also purchase licenses for Office 2007 Professional or Office XP Professional (or their Macintosh equivalents: Office 2004 and 2008).

Macintosh software must be purchased by the end-user's group.

Antivirus Software

The CSC will also purchase licenses for Norton Antivirus Corporate Edition which is required to be installed on all PC/Windows platforms in ACOM. This software is required even if a computer is a personal computer since placing that computer on our network exposes our network to potential virus attack. In those instances, we may require that you purchase Norton Antivirus or another virus detection program and update its virus definitions regularly.

Antivirus 8 runs in Macintosh OS X 10.3, but not Antivirus CE. If you are a Macintosh user, you must purchase Antivirus 8 or newer along with a subscription for updates that is renewed each year. Should Antivirus CE eventually support Macintoshes, we will look into accomodating Macintoshes under the CSC and with our Antivirus server.

Multiple Operating System Policy

ACOM allows multiple operating systems to be maintained on a desktop PC. Machines can often be "dual-boot" with a choice to run either Microsoft Windows or Linux at startup time. Or they can run Virtual environments such as the VMWare Inc., virtual machine. Virtual environments allow one to run an operating system, but then run another operating system within a window. For example, Linux users can run a window with Microsoft Windows software applications.

Multiple operating systems do take more work to maintain, so we require that a maximum of two different operating systems be run on a particular platform.

All ACOM and organizational security and system administration standards apply to the "second" (sometimes called "guest") operating system as well as to the primary (sometimes called "host") operating system.

Administrator/Root password policy

The Systems Staff generally retains administrative (or root) access to a desktop computer. For Unix users, we install the "sudo" command which can provide access to some root functions without our having to deliver the root password. For Macintosh, XP, or Windows Vista users, we may deliver the local administrator's password to the end-user. But we would retain the CIT domain password which we use to administer accounts. That way, the end-user can perform software installs as the local administrator but the Systems Staff can access the system as the domain administrator.

In most cases, we discourage being logged in as root or administrator -- these accounts are meant for temporary maintenance (such as software installs) only.

User Access Control such as provided on the Macintosh or Windows Vista must be enabled for privilege elevation for system-level functions. The use of user account control allows day-to-day operations to be performed in a safer less-privileged environment.

UCAR/NCAR Share

                  

                  

ACOM | Atmospheric Chemistry Observations & Modeling