CSS Compliance Notes: Windows
These instructions include screenshots from a client running Windows 7.
These instructions will not work for systems that are behind a NAT gateway. If you are not directly connected to the CSE research network (i.e. your device's IP address does not start with 164.107), please contact a CSE computing staff member so that we are aware of the situation and can assist you with compliance.
Verify hostname and IP address
First, determine your device's IP address with the ipconfig command from a Command Prompt as follows:
Z:\>ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : cse.ohio-state.edu IPv4 Address. . . . . . . . . . . : 188.8.131.52 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 184.108.40.206
If the IPv4 address listed doesn't start with 164.107, the device is probably behind a NAT device; if this is the case, contact a CSE computing staff member for assistance with CCSS compliance. It is possible to have multiple network interfaces, as long as at least one of them is connected to the CSE research network, the device may be brought into compliance with the procedure outlined in this document.
Once you've determined your device's IP address, you can look up the appropriate hostname in the CSE DNS space with the nslookup command:
Z:\>nslookup 220.127.116.11 Server: cs2.cse.ohio-state.edu Address: 18.104.22.168:53 Name: pc-dl887r.cse.ohio-state.edu Address: 22.214.171.124
The hostname for the device with IP address 126.96.36.199 is pc-dl887r.
Install current Windows patches
Navigate to Start ⇒ All Programs ⇒ Windows Update and install any pending Windows updates before proceeding.
Join the device to the COEIT domain
If you are currently joined to a domain or running a Windows server that is acting as a domain controller, please contact a CSE staff member about CCSS compliance. These instructions are for client-based Windows systems. You may determine if you are part of a domain by following the first step, described below.
All windows devices that are connected to the CSE network must be joined to the COEIT domain. To have your device joined to the domain, please contact a CSE computing staff member for assistance.
Authentication Controls: Set your password
Group Policy is used on the COEIT domain to enforce appropriate authentication controls. All devices that are connected to the COEIT domain will use domain accounts for logging on. These accounts are they same as the accounts for the CSE production computers (i.e. lab machines).
Per the CCSS specification, automatic logins are not permitted. Appropriate settings should be enforced by Group Policy on the COEIT domain; users are not permitted to do any of the following:
- Create any local account.
- Set the password for any account not to expire.
- Configure the device to automatically login any account.
The user accounts on the device will be domain accounts (name.#). A COEIT domain account that has administrative rights to the local machine does exist, and is used by CSE staff for regular CCSS compliance audits. This account will not be used for any purpose not related to CCSS compliance.
Windows Firewall settings are enforced by Group Policy on the COEIT domain. Windows Firewall must be enabled at all times; several default exceptions should already be configured through Group Policy. Additional exceptions may be made as necessary.
Current Operating System & Software
Windows Update settings are also enforced by Group Policy on the COEIT domain. By default, devices on the COEIT domain will obtain updates via the Windows Server Update Services (WSUS) server, but users may check for updates from Microsoft's servers if they choose. For desktop devices that are continually in contact with the CSE network, a policy similar to that enforced on the CSE instructional desktops is used: users will be notified when new updates are available and given the opportunity to install them at their convenience; any updates that remain pending at 5:00AM each Friday morning will be automatically installed, and the device will be rebooted if necessary. Laptops on the COEIT domain are configured to only notify and prompt for installation of updates at this time.
The CSE Department uses Symantec virus scan, which is licensed by the Department. It is strongly recommended that any currently installed anti-malware products be removed before completing this step.
CCSS Compliance Certification
After all the steps in this document have been completed, send an e-mail to firstname.lastname@example.org to request a certification appointment. A staff member will arrange a time to meet with you and verify that your device meets CCSS compliance standards.