Dangerous Software Policy

Revised: June 7, 2005

This policy addresses 4 categories of dangerous software. Such software sets up a workstation or desktop computer to be a server, and because the machine initiates the connection, the software creates a bypass around our security perimeter, exposing the UCAR network to risk from outside compromise.

In general, any of the following types of software may be uninstalled upon discovery by a Systems Administrator.

Peer-to-Peer

Peer-to-Peer (P2P) software works by making a machine a server on a special network whereby all machines are servers to all other machines. These networks usually bypass firewalls and span the Internet. One purpose has been to swap media content among a set of users.

P2P software must be uninstalled from systems attached to the UCAR network. This includes but is not limited to

  • KaZaA, KazaaLite
  • BearShare
  • GNUTella (and derivatives)
  • eDonkey (and eDonkey 2000)
  • SoulSeek
  • GLO-Search
  • Direct Connect
  • BitStream

Some instant messaging (IM) clients may work in a manner similar to P2P software unless carefully configured. Such clients are discouraged on the ACD and ASP networks. If you require IM software, see your Sysadmin for a review of its settings, or for more secure variants of the software.

Unauthorized VPN

VPN software works by having a server inside of a network route connections back and forth to machines on the Internet. Such machines usually have VPN client software. Our authorized VPN solution is a Cisco 3000 VPN server on the UCAR network, and Cisco VPN client software on machines on the Internet. Such clients make a VPN connection whereby the traffic is encrypted, and all communications are as if the machine is on the local network.

The Cisco 3000 VPN server and Cisco client software is the authorized VPN solution in ACD and ASP.

Other software may provide VPN functionality but is not allowed:

  • ssh in tunneling mode
  • GoToMyPC and similar desktop access software
  • Open Source Cisco-compatible VPN clients
  • Spyware (see below)

Distributed Computing

Distributed Computing applications set up workstations across the Internet at large to cooperative process data for a particular application. The best known is "SETI@home" which uses homes computers to diagnose radio spectra associated with the SETI project.

Because Distributed Computing applications creates accessibility from the Internet, and because the software used in Distributed Computing is not under our administrative control, we are disallowing the use of such software except by explicit permission from a Primary Systems Administrator, and only when such use is demonstrably related to UCAR work in progress.

Distributed Computing Applications must be uninstalled from systems attached to the UCAR network. Examples include these, but there are many more:

  • SETI@home
  • evolution@home
  • eOn
  • climatePrediction.net
  • Distributed Particle Accelerator Design project
  • Lifemapper
  • Folding@home
  • fightAids@home
  • Ubero

Spyware

Spyware applications often get installed without the user's knowledge -- simply by browsing the web, or viewing an email with HTML content. At best these applications send information back to other servers without the knowledge of the user or the sysadmins of UCAR. At worst, they reconfigure software settings in order to enable advertising, infection, or malicious use of the computer.

Much Spyware can be prevented by installing and running SpyBot Search and Destroy. Spybot is provided as part of our standard Windows install. Other Spyware prevention tools are available -- see your Sysadmin for the best current Spyware prevention option. Since Spyware prevention software depends on definitions which change over time, all Spyware prevention software must be updated regularly in order to be effective.

Additional recommendations to avoid Spyware include:

  • Set your browser configurations to be as secure as possible -- making sure browsers prompt you for downloads and installs, and making sure that cookies are stored only for the session (if possible).
  • Do not use P2P software (see above)
  • Install business or science relation applications only. Do not install "entertainment" applications or other software which does not serve a business or science related need.
  • Use a browser which prevents pop-ups
  • Do not use Internet Explorer if you are not at the Windows XP Service Pack 2 level of the Windows Operating System or better.
  • Follow all Sysadmin recommendations for browser management, and keep your browser updated to the current release.