LNS Computing Policies
The purpose of these policies and procedures is to ensure that LNS users, the Computer Services (CS) and the Directorate understand their rights and responsibilities, and to define fair and reasonable use of shared LNS computing resources. The policies and procedures apply to all users and implicitly include matters covered by other policies, such as MIT Policies and Procedures (http://web.mit.edu/policies/index.html), especially section 13.2 "Policy on the Use of Information Technology" (http://web.mit.edu/policies/13.2.html), MITnet Rules of Use (http://web.mit.edu/olh/Rules/#mitnet) and ESnet Policy (http://www.es.net/hypertext/esnet-aup.html, DOE Energy Sciences Network).
To assist with the Laboratory's scientific mission, the CS is designated with the authority and responsibility to provide, maintain and administer computing resources to support research and administrative operations of the Laboratory. The CS also provides installation support, maintains network security and administers many individual personal computers and workstations within the research groups. The CS staff will provide their best effort to deliver services and support which meet the needs of their customers, within the financial resources provided. It is the responsibility of the research and administrative groups to communicate their needs in a clear and timely fashion and to cooperate with the CS staff to implement these supported services.
Principles
The principles for use of LNS computing resources, as recommended by the LNS Computer User Committee (CUC), are as follows:
Every Laboratory research group has the right to
determine how it provides and administers its individual computing resources,
and to determine, with the help of the CS, how to best interface with shared
resources (networks and central computing). All decisions should be made in
close consultation with the CS. The ultimate responsibility lies with the
management of the research group and the Laboratory management.
Security concerns in the use of computer
hardware, software and networks are of critical importance to the Laboratory.
They include activities that would allow the possibility of unauthorized
reading, copying or modification of computer files, and disruption of computers
or networks such that authorized use is impeded. All users must follow the
computer security guidelines. These guidelines may come from the CS, MIT
Information Services and Technology or government agencies with applicable
jurisdiction. The users will be informed of any changes in computer security
guidelines.
These principles form the basis for the
operational mode of all computer resources and networks within the Laboratory.
Definitions
"User" - any person consuming shared
computing resources at LNS, e.g., CPU cycles, printer paper, network bandwidth,
etc.
"System Manager" - user who has
root/system/administrator password access to desktop, laptop, server, or to a
clustered system.
"LNS Member" - LNS faculty member,
post-doc, sponsored research technical or administrative staff, support or hourly
staff, graduate and UROP student.
"Person affiliated with LNS" - anyone
who is not an LNS member but who has been designated by an LNS faculty member
as requiring LNS computer resources to assist in the research mission of the
Laboratory.
"LNS computer systems" - all computer
systems that obtain IP address, are connected to LNS network(s) and are located
on MIT campus.
"Distributed Computing Arrays" -
collection of computers, henceforth termed "nodes", organized into a
single array and which work in tandem to solve one or more computational
problems together.
Computer Acceptable Use Policy
LNS considers access to all shared computer
resources by LNS members as a right. It is presumed that every user will
exercise it responsibly. Faculty members decide which affiliates with LNS need
access.
LNS computer systems are intended only for
research and administrative use in support of the mission of the Laboratory.
Commercial, political and other activities not connected with the LNS mission
are not permitted.
Authorized Access
User access to all shared computing resources is
restricted by authorization. Authorized access is granted by applying for an
account through the CS. Full access (system manager or
root/system/administrator) can be requested if a separate application is filed.
Access to shared resources is regulated and
monitored by the CS. Users may only access their authorized accounts. Users may
not create their own accounts and may not authorize anyone to have access or to
use their accounts. Sharing passwords is prohibited. Each individual is
responsible for his/her conduct while using the LNS computer facilities.
Supervisors are responsible for the actions of their subordinates.
Authorization to access computing resources will be disabled upon termination
of the user's affiliation with LNS after consultation with the responsible
faculty member.
The CS staff must have root or administrator
access to all computer systems connected to the LNS network in order to monitor
security and to allow routine maintenance (routine maintenance on supported
machines only). The staff will use root privileges on individual workstations
only after consultation with the appropriate user except in emergencies (when
the user will be informed afterwards) or while performing routine
administrative duties on supported machines.
System Managers
System managers (SM) have special privileges and
responsibilities on the LNS computer systems. In the course of normal system
maintenance SM may work with all accounts and files with restrictions: SM must
not read or inspect the data or information in the accounts and files of other
users and must not change or delete files to preclude recovering the original
data.
Sharing Resources and Services
To maximize effective use of shared resources,
all users are expected to avoid monopolizing these resources. If the need
arises for a user to consume an unusually large portion of shared resources,
this should be done in coordination with CS and CUC. Misuse of computing
resources can limit legitimate users access to the shared resources.
LNS CUC acts as the arbitration body in
situations where users have conflicting interests. If a conflict cannot be
resolved by the CUC, it can be appealed to the LNS directorate. The CS staff
has the right to alter the priority or terminate the execution of any process
that is consuming excessive system resources or degrading system response. CS
staff will consult with any user whose process is problematic. In extreme
circumstances, if CS staff is unable to contact the user, the immediate
supervisor will be contacted. If the supervisor is unavailable, the group
leader will be contacted. If this process fails, CS will consult with the LNS
directorate before taking any action.
Modifying Shared Computer Resources
Due to the nature of modern networks even a
small change can have dramatic results on the performance of other resources.
The CS staff must be consulted before making any additions, deletions,
modifications or other changes to the shared computer resources.
Software Licenses and Copies
Users of LNS computing resources are reminded
that it is MIT policy to respect the intellectual property rights of others.
All software used on LNS computing resources
must not infringe upon the legitimate intellectual property rights of any
person or corporation.
The CS maintains backup copies of licensed
software. Users may not make copies of licensed software.
Policy Enforcement
Users must accept a statement indicating that
they have read, understood, and agree to abide by the full LNS Computer Policy.
Violators of the policy may be subject to disciplinary action(s) by the LNS
directorate.
Computer Security Policy
Computer security is required to protect data
and systems critical to the operations of the Laboratory in pursuit of its
mission. The "LNS Computer Security Policy" covers all LNS computer
systems, whether on-site and connected directly to the LNS network, or off-site
and connected to the Internet or by other means such as the modem pool or MIT
Tether.
Scope and Responsibility
The director of LNS is responsible for computer
security and related matters. LNS associate director, CS manager and
cross-sectional representation of LNS Research Groups assembled in the Computer
Users Committee will advise the director on computer security-related matters.
LNS CS staff are responsible for maintaining the security of all systems as
well as data integrity of shared resources. Users and the CS are responsible
for conducting themselves in a manner consistent with the policies of this
document.
Privacy of Electronic Files and Email
LNS respects the privacy of the electronic files
and email of all users. LNS follows the MIT rules on electronic and email
privacy, see MIT Policy on the Use of Information Technology (http://web.mit.edu/policies/13.2.html).
The LNS director will consult with the VP of MIT Information Services regarding
any requests or actions related to the privacy of LNS electronic
communications.
Unauthorized or Malicious Access and Actions
No user may attempt unauthorized entry to
computer systems or accounts, or to attempt to damage, alter, falsify or delete
data, including system and application software or email. All users are
forbidden to attempt denial of computing or network services either within LNS
or on the Internet.
Users are authorized to access accounts in their
own name, and to alter or delete data in those accounts. Users may also access
files not registered in their name but enabled with group permissions on a
computer system. The burden of proof of authorization rests with the person
attempting to access an account. Possession of a password is not a proof of
authorization.
Disregard for Computer Security
The LNS CS will advise individual users on
practices that are unacceptable. The CS personnel will provide full information
on proper security procedures to all users. The CS will maintain email records
of such notifications. Repeated unacceptable action by any user will be
referred to the LNS directorate.
Incident Reporting
The Security Policy requires preventive
monitoring and rapid investigation of incidents involving extreme behavior. All
users are required to immediately report any suspicious incidents involving the
security of LNS computers or networks. Incidents should be reported to the CS
manager or to the system managers. System managers will report to CS manager
incidents that do not have a simple explanation based on normal routine
operation of the system. Users must not disclose any detailed information about
computer security incidents without authorization from the LNS directorate.
Restricted Central Services
For computer security reasons LNS users are not
allowed to activate the following network services:
- Routing and bridging
- Private or wireless networks
- NAT (Network Address Translation)
- Tunneling, except tunnels with a single source
or destination for purposes of mobility or security
- All forms of off-site network connections
except via Internet and CS or MIT modems
- DHCP (Dynamic Host Configuration Protocol)
servers
- Assignment of IP (Internet Protocol) host
names and addresses (use of automatic configuration mechanisms provided by the
CS, such as DHCP, are not restricted)
- DNS (Domain Name Service) zone mastering and all
externally reachable DNS services
- NIS (Network Information Service) using CS
domain name(s)
- PDC (Primary Domain Controller) and BDC
(Backup Domain Controller)
- NFS (Network File System), AFS (Andrew File
System) or other file servers
- Windows Server Active Directory
- Web servers are allowed with the permission of
CS manager.
Specific waivers from these restrictions must be
provided to the user in writing by the LNS directorate in consultation with the
LNS CS manager and with the recommendation of the CUC.
Critical Systems
There are certain computer systems on the LNS
network that are vital to the Laboratory's operations. Such systems may be
designated as critical and may be subject to additional computer security
policies and procedures.
Computer Service and Support Policy
The LNS CS will strive to maintain the hardware,
software, networks, services, and shared resources necessary for the laboratory
to fulfill its function. LNS CS provides services enumerated below with staff
available on 9 AM to 6 PM on MIT working days and a best effort during other
times. With limited personnel and resources, it is necessary to limit the
hardware, software, etc. purchased by the research groups that can be
supported. The choice of supported products is outlined below and is subject to
change as technology and the needs of the laboratory change. If individual
research groups purchase and/or install unsupported products, the CS does not
guarantee support for those products, the individual research group is responsible
for any security concerns that may arise due to this. Details of the supported
platforms, operating systems and software are given in the Appendix at the end
of this section.
Accounts and Connections
The LNS CS supports the following services: user
and email accounts, backups, Internet access, Web servers, shared disk space
(file servers), as well as computers, tape drives, printers and other services
generally accessible to LNS users. For more details on the support and specific
hardware and software recommendations, refer to the LNS CS Web pages http://www.lns.mit.edu/compserv/.
Users are entitled to full access to shared
resources with the proper authorization (account name, password and certain
privileges) supplied by the CS.
Hardware, Software and Network Services
Acquisition
All shared services (hardware, software and
networks), managed by the CS, are financed by the LNS Central Facility budget.
Research groups are responsible for purchasing their individual computer
equipment. Prior consultation with the CS is strongly recommended. If groups so
choose, equipment can also be ordered through the CS using the research group's
SAP account to create the requisition.
Accepting Equipment on LNS network
CS staff should inspect equipment for hardware
configuration, operating system level, network services and other relevant
configuration parameters before it can be admitted into LNS network. Local
accounts must be inspected for level of permissions and access rights.
Maintenance Requirements
CS supports computers connected to the LNS
network at MIT. This includes MITnet and the ESnet address blocks.
The supported desktop workstations (but not
laptops) are expected to remain operational and on the network at all times.
Shutting down a workstation for an extended period that disrupts routine
maintenance, security monitoring or backup process (e.g. overnight) should be
coordinated with the CS. Changes in network, application software or hardware
configuration of the machine should be coordinated with the CS. Changes which
are not approved by the CS and deemed problematic may result in withholding of
support until the problem is resolved.
Support Costs for Individual Equipment
External costs for individually purchased
hardware, software and network support are the responsibility of the individual
or the group that made the acquisition.
Networks
MIT Campus Network
CS provides network support to computers
connected to the LNS network at MIT. All LNS on-site systems are linked by the
LAN (local area network). This network is connected to the MIT campus-wide
network and to the ESnet. LNS supports peering of the ESnet and MIT campus
networks. The CS operates a local DHCP and DNS service with one domain name
authority [lns.mit.edu] as well as one LNS mail service. LNS Web pages are
hosted locally by CS. The CS with the help of the LNS administration will
strive to ease the security concerns and responsibilities of individual users
through the implementation of global security solutions. Preference should be
given to network connections that accommodate group (vs. individual)
protection.
Laptops used at LNS must be registered for LNS
connection via DHCP (Dynamic Host Configuration Protocol). Static IP address
can be assigned to a laptop upon special request. Optional wireless networking
is provided in several common areas through LNS.
Bates Laboratory Network
Bates Laboratory uses LNS as the connection
point for the Internet access but is not supported by the CS.
Printers
The LNS CS offers printer services in two ways:
full service and partial service.
Full service consists of printers located in
places where they are accessible to every user in the Laboratory (common rooms
with coded locks). These printers are supplied, maintained and updated by the
staff of the CS, and have been tested under various operating systems.
Partial service means providing network
connections and installing proper drivers on CS servers for printers belonging
to individual research groups or LNS administration within the Laboratory.
Research groups should consult the CS before ordering printers. The CS does not
provide mechanical maintenance, supplies or updates for these printers. A
designated individual should be assigned these tasks. Only individual groups
use these printers and hence their network access is limited. During occasional
critical times, the CS will service private printers, diagnose malfunctions
and, if possible, repair the printers.
Backups
Currently CS provides backup service for each
machine that is supported (except laptops). Users (data owners) are responsible
for determining what data requires protection and how data is to be recovered
if the online copy is destroyed. If a backup is necessary, the users should
coordinate a backup plan with the CS. This may either be an individual backup
done by the users themselves or coordinated into a regular systems backup plan.
Reinstallation
In case of major problems on any supported
computer, reinstallation of the operating system may be necessary. This should
be done in coordination with the user and the CS to minimize adverse effects on
the operation of user-installed hardware and software. CS reserves the right to
restrict access to a machine or withdraw support if some network, software or
hardware configuration, or some other condition, could lead to security
problems.
Appendix
Support Levels
The CS installs, configures, upgrades, maintains
and otherwise supports all software packages listed in the Appendix to LNS
Computer Procedures. However, CS does not provide teaching and training for
these packages or debugging of user written code.
OS Platforms Supported
Windows
LNS CS supports Windows 2000 and Windows XP.
Windows NT is supported until 12/2004.
Domain Control
Supported Windows machines should either be in
the MITLNS Domain, or in a domain that trusts the MITLNS Domain.
Software Support
The CS supports a standard set of application
packages - in most cases these are supported by MIT as well. Support for
additional application packages, if recommended by CUC and approved by CS, is
also available. The list of supported applications will be updated as needed.
Any Windows machine supported on LNS network
must be running SecureCRT and VirusScan. Telnet, Kermit and other insecure
connections must not be used at LNS. If the machine is locally administered,
the owner may choose the frequency of anti-virus scan and the frequency with
which virus-signature updates are made. The CS may recommend more frequent
scans and require updates at certain times.
Linux
LNS CS supports its own, standardized
distribution of Red Hat Linux on Intel-compatible workstations only. The actual
hardware and peripheral devices should be coordinated with the CS. Additional
peripherals should be approved by the CS prior to their installation. CS is not
supporting Red Hat Linux on laptops.
Software Support
The CS supports a standard set of application
packages under Linux. Support for additional application packages, if
recommended by CUC and approved by CS, is also available. The list of supported
applications will be updated as needed. Users can install individual software
packages. If such installation requires special drivers or other
system-specific hardware or software components, it should be coordinated with
the CS.
Mac OS X
LNS CS supports Apple Mac OS X on Macintosh computers with built-in USB port.
Software Support
The CS supports a set of MIT-supplied application programs, including Virex and Eudora, as well as MS Office for X and applications supplied with the system.
Distributed Computing Arrays
The CS installs, maintains and operates Distributed Computing Arrays for scientific data processing. Some nodes are dedicated, online, and available at all times. This equipment is operated as shared devices and includes tape drives, media changers and other equipment requested by users. Other nodes may also be desktop workstations, joining the array pool dynamically when idle and leaving when in use. Desktop users who wish their workstation permanently removed from the desktop array pool may do so on request.
Laptops
Laptop support is restricted to the services that interface with LNS shared resources and is consistent with other LNS Computer Policies.
Publication Date: April 13, 2001
Revision Date: May 7, 2004