ITS provides direct support for a class of machines known as managed hosts (previously called “facilitized” hosts). In addition, ITS allows users to manage their own machines known as self-managed hosts.
Definition: ITS provides a service for some customers whereby the customer’s machine(s) is (are) configured, and managed, according to a set of common standards. The machine and its operating system have been built by ITS staff to work reliably within the ITS Computing infrastructure.
What support is offered for a managed host? ITS installs and maintains a set of software on the host, applying patches as needed. The software is a mix of commercial and non-commercial products. All managed machines are provided with a backup service. For network connected machines, backups occur automatically each night. For hosts (laptops) connected through the wireless service, backups must be started manually by the customer. In the case of Solaris / Linux / Unix machines, the software will be primarily contained in an AFS location.
To qualify to be a managed host, machines must be university owned. Changes to, or support of, personal property is not available as an option. In addition, the device must run an operating system that can be installed, upgraded, patched, modified, and backed up by ITS Computing Staff. Information on which operating systems are supported is contained elsewhere in this section.
Access to managed machines occurs through the account management system. Users of Solaris/Linux/Unix systems will use their ITS-provided AFS account on all managed machines. Windows users will use the Windows account provided by ITS. Security is maintained on the system via the industry standard “least privileged user” paradigm. This means that each user obtains the minimum required permissions on entry to the machine to accomplish his work. By doing so, ITS is able to maintain a computing environment that is extraordinarily secure and the least likely to be compromised by unwanted malware. If additional privileges are needed, they can be obtained by sending mail to firstname.lastname@example.org.
Definition: A self-managed host is a user-managed machine, usually a laptop or desktop, in which the end-user bears all responsibility for configuring / updating / patching / and managing the host. A self-managed machine may be privately owned, or owned by CMU (or another research entity). Some network and IT services are available for self-managed machines.
Who can manage a self-managed machine? The option of managing a self-managed host is available only to faculty, researchers, and students. Graduate students need to own the host, or else, the host needs to be assigned to them by a faculty advisor (and also not be a managed host). Undergraduates need to own the host they are managing.
Note: In terms of cost center charges, there is no difference in cost between a managed and self-managed machine.
What are the end-user’s responsibilities? The end-user is responsible for applying all the latest security patches and for keeping the host secure. Machines on the network are subject to continual attacks by outside forces since hosts are directly exposed to the internet (no firewall). Only the configuration of the machine itself can prevent a compromise! Security needs must be monitored and maintained on a 24/7 hour basis. In summary, the end-user is solely responsible for maintaining the system’s security.
To help secure the CMU network, Andrew computing does continual machine scanning to search for vulnerable and/or compromised machines. Compromised machines will be barred from the network immediately. Depending on the severity of the vulnerability, vulnerable machines may also be immediately barred from the network.
Managed completely by the end-user, a self-managed host can run any OS. Modern operating systems for which there is some indirect support (see below) include Windows 7, Suse, and Mac OS X.
What support does the IT group (ITS) provide to help manage a self-managed host? No direct support is offered. What is offered are guidelines and pointers to help end-users register their host, obtain software, mount AFS/DFS drives, print to a departmental printer, obtain limited backup, and help secure their system.
Pointers for Managing Non-Facilitized Hosts under Linux, Mac OS, and Windows
- Registering your Host
- Obtaining Software
- Mounting AFS drives / mounting DFS drives
- Printing to Departmental Printers
- Backup – No backup is provided for self-managed hosts. Users can, however, store research (academic) data on departmental AFS or DFS drives, access that data from a self-managed host, and feel comfortable that their research (academic) data is backed up by a departmental server. (Please note: Users of self-managed hosts are requested not to store their entire operating system on AFS or DFS drives.) Additional information about backup is located here.
- Security – This is a broad topic and covers everything from password strength to building machine-based firewalls. A good starting point is the article on wikiHow about securing hosts. SANS is another good source of information about security.