Windows 7 Update and Security Recommendations Committee Review.

Windows 7 Update and Security Recommendations

Committee Review

Revised Timelines

2

• Medical Center

• Campus

Applications Update

• Estimated date of completion for remaining applications: 2/14/14

Applications Requesting Exception• UCSF Security Exception Request Form developed for non-

compatible applications and hardware: http://it.ucsf.edu/sites/it.ucsf.edu/files/security_exception_request_v1.5_0.pdf

• Applications submitted for exception:– AMCOM (Operator DB for Patient Info) Connie Standfield, 8

– EndoPRO Cindy Weiner, 75

– EndoPro (APF-Lab) Natasha Komarovskaya

– GE Mobile Care Server Paul Jimenez, 30

– GE Patient Data Server Paul Jimenez, 22

– HeartSuite James Cundiff, 4

– Softmed Natasha Komarovskaya, 10

– SoftMed 6.5 Ed Mahony

– SoftMed Core Messaging Framework Ed Mahony

– SoftMed Resource Locking Client Ed Mahony

– Vericis [Cardiology] James Cundiff, 4

Communications

• Conduct Desktop Drop Notification for Phase II Clinical Rollout: 2/10/14

• Survey early adopter groups for feedback on performance post-upgrade (Lakeshore and Women’s Health Daly City Clinic): 2/13/14

• Medical Center Update: 2/7/14

• Manager’s Weekly: 2/10/14

• Ideas from the project team:– Easily identifiable outfit for morning after Field Walkers

– Quick view stickers: green (upgraded), orange (issue), red (exception)

Security Recommendations

Current State

• No current domain level GPO (Group Policy Object) with local security settings

• Users that receive UCSFMC imaged laptops are set to have local admin access by default.

Risk

• Local admin access– Malware

– Phishing\credential theft

– Installing unauthorized\potentially malicious software

– Potential software licensing issues

– Unauthorized removal of software

– Unauthorized system configuration changes

Risk

• No baseline GPO– Overall this is not best practice

– Many low impacting settings that can have a positive affect on our security posture

IT Security Recommendations

• Local admin access– No local admin access as default user configuration

• Principle of Least Privilege

• Group policy object settings• Based on USGCB (US Government Configuration Baseline)

– Local Windows settings

• 17 GPO settings– Internet Explorer settings

• 5 GPO settings

Impact

• No local admin access– Users will be unable to install and update some

software

– Potentially increased support calls to install software and make other needed configuration changes

– Self support at home

• GPO settings– Each setting has its own inherent impact

Mitigations to Minimize Impact

• Local admin access– Beyond Trust Power Brokers Desktop (Privilege

Manager)

– Software Center (SCCM) – Self Service Portal• In pilot

– Exception process\procedure

• Elevated account request

• GPO settings– Testing to date has revealed little impact to user

productivity

Questions