Protecting the confidentiality and integrity of U-M systems and data is the responsibility of all members of the U-M community. The requirements for comprehensive endpoint protection are spread across a number of IT standards at U-M.
The purpose of this guidance is to consolidate instructions into a single resource for units, so they can more easily navigate among requirements to ensure compliance.
Enhanced Endpoint Protection
Related Standard: Endpoint Security Administration (DS-23)
UM-Ann Arbor, UM-Dearborn, and UM-Flint use CrowdStrike Falcon for enhanced endpoint protection. All U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers) should have CrowdStrike Falcon installed.
Units are responsible for deploying Falcon on unit systems and having plans and processes in place to support deployment in an ongoing manner. Falcon sensor implementation status should be maintained in unit system inventory.
For complete instructions on how to deploy Falcon on your machines, or to request exceptions, visit CrowdStrike Falcon for Units.
Exception Process on CrowdStrike Falcon for Units
It may not be possible to install and run CrowdStrike Falcon on all U-M owned systems, due to technical and/or operational limitations. Examples of devices where it may not be possible to install and run CrowdStrike Falcon include:
- Network appliances (e.g. NAS)
- IOT devices
- Devices running Incompatible operating systems (e.g. VMWare ESX, FreeBSD, etc.)
Questions and exception requests can be submitted using the Enhanced Endpoint Protection form.
Inventory of U-M Owned Systems
Related Standard: Endpoint Security Administration (DS-23)
An inventory of systems is crucial for effective and secure IT management. Knowing what devices are in the U-M environment allows for better security, risk management, and compliance.
The University of Michigan does not provide an enterprise system inventory management solution. Units are expected to maintain and develop their own inventories with guidance from IA. IA may help units with initial inventory based on information in Active Directory.
The recommended fields unit-owned system inventory are as follows:
- Serial Number
- Asset Tag
- Device Type
- Device User Uniqname
- Unit/Department
- Device Location
- Warranty Information
- Falcon Sensor Status (implemented/exception).
Units are welcome to maintain any additional device information to support their own processes.
Unit inventories should be shared with IA on request.
Principle of Least Functionality
Related Standard: Endpoint Security Administration (DS-23)
The principle of least functionality maintains that systems are configured to provide only essential capabilities and to prohibit or restrict the use of non-essential functions, such as ports, protocols, and/or services that are not integral to the operation of that system.
Avoid enabling unnecessary features and services when installing software on your endpoints.
- When possible and appropriate, use pre-vetted managed software packages via MDM/Software Center.
- When software must be installed manually, always use custom installation options to ensure that only the appropriate expected software packages and features are deployed. Avoid manually initiated automated or “quick install” options in order to fully review and select only required installation options.
- Once software is installed, use a command line utility such as “netstat” to determine if there are additional or unexpected services running and/or network ports listening.
- If unexpected services and/or ports are running and are required for the software to operate properly but do not need to be open to the internet, always use a host-based and network firewall to block access from the internet, as well as restrict access to only the minimal specific networks or hosts required for the use case of the software in question.
Always review for least functionality post-installation and for previously installed software, including managed software package installations.
- Review exposed ports, protocols, and running services; disable and/or restrict any which are unnecessary, unauthorized, overly exposed, and/or insecure.
- Verify to ensure additional or unintended ports are not open and exposed, use a command line utility such as “netstat” to identify unnecessary ports that are open.
- Use a host-based and network firewall to block access from the internet and restrict access to only the minimal specific networks required for the use case of the software in question.
Regularly review and update configurations.
- Conduct regular reviews -- set a recurring schedule (e.g. monthly, or quarterly) to review and update endpoint configurations.
- Assess security controls to verify configuration elements, such as host-based firewall rules, access controls, and software restrictions, are still effective and up-to-date.
Host-based Firewalls
Related standard: Network Security (DS-14)
Host-based firewalls must be enabled if available, continuously active, and configured in accordance with industry best practices.
For more information, see Firewalls at U-M.
Security Logging
Related standard: Security Log Collection, Analysis, and Retention (DS-19)
Logging events on IT systems is a critical step in securing U-M data, preventing and responding to IT incidents, and performing system maintenance and troubleshooting. Information captured by logs can be critical in forensic analysis in the event of data breaches and legally mandated investigations.
For more information, see Logging Configuration for U-M Systems.
Vulnerability Management
Related standard: Vulnerability Management (DS-21)
To manage software and network vulnerabilities and protect university data and systems, Information Assurance (IA) works in partnership with units to identify vulnerabilities and ensure remediation in accordance with Vulnerability Management (DS-21) and other U-M policies.
For more information, see Vulnerability and Patch Management Guidelines.
Multi-factor Authentication
Related standard: Access, Authorization, and Authentication Management (DS-22)
University units and device custodians who administer U-M owned systems are required to implement multi-factor authentication for any system, server, or application that stores or transmits sensitive institutional data.
For more information, see Implementing Duo for Systems and Services.
Account Management & Least Privilege
Related standard: Access, Authorization, and Authentication Management (DS-22)
Individuals should be granted the minimum access sufficient to complete their day-to-work job responsibilities. Individuals that are granted privileged access should use the least privileged account for day-to-day activities; privileged accounts should only be used when the elevated privilege is required by the system or application.
For more information, see Access, Authorization, and Authentication.
Back-up of U-M Data
Related standard: Disaster Recovery Planning and Data Backup for Information Systems and Services (DS-12)
All U-M institutional data must be backed up. All U-M units and research programs at UM-Ann Arbor, UM-Dearborn, UM-Flint, and Michigan Medicine are required to develop and document backup plans as part of their Disaster Recovery Management planning and their compliance with Disaster Recovery Planning and Data Backup for Information Systems and Services (DS-12). This will also help to minimize data loss after an IT incident (for example, Ransomware Mitigation).
For more information, see Back Up U-M Data.
Loss or Theft of Device
Related policy: Information Security Incident Reporting (SPG 601.25)
Loss or theft of computer equipment or other data storage devices and media used to store private or potentially sensitive information is an information security incident that requires immediate action:
- Report an IT security incident at [email protected]
- If the device was lost on campus:
- If your device is stolen, you can contact the police and file a police report.
- If this device is U-M owned, please fill out the Risk Management Proof of Loss document and submit it to Risk Management Services.
Disposal of Devices
Related standard: Electronic Data Disposal and Media Sanitization (DS-11)
Data must be permanently erased or purged from university-owned devices or storage media prior to transfer within U-M or other disposition and all university-owned devices must be sanitized at their end-of-life or prior to disposal.
For more information, see Securely Dispose of U-M Data and Devices.
Using Personal Devices to Access U-M Data
Related standard: Unit-Specific Expectations for Self-Management of Personally Owned Devices that Access Sensitive Institutional Data (DS-07)
Members of the U-M community may need to access or maintain sensitive university data from their personally owned devices (smartphones, tablets, laptops, and more). The university addresses this use in Security of Personally Owned Devices that Access or Maintain Sensitive Institutional Data (SPG 601.33) and Unit-Specific Expectations for Self-Management of Personally Owned Devices that Access Sensitive Institutional Data (DS-07).
Storing and processing institutional and research data on personal devices may introduce significant risk to the integrity, security, and availability of that data. Note that some units have adopted and enforce requirements for use of personally owned devices that are more specific or restrictive than defined in SPG 601.33 and its related guidelines.
If your department or unit permits you to work with sensitive institutional data from devices not owned by the university, you are expected to protect the data by securing and properly managing these devices according to Your Responsibilities for Protecting Sensitive Data When Using Your Own Devices.
For more information, see Sensitive U-M Data on Personal Devices.