Advanced Photon Source

An Office of Science National User Facility

IT Guidelines

Guiding Principles

ANL computing resources (i.e., hardware, software, data storage devices, network access, information services, telephone/modem access, etc.) are intended for business purposes. Their use should comply with legal protections of authorized access, proprietary and sensitive information, copyrights, and licensing agreements and should not result in costs to the Laboratory that are not work related. Use of computer resources for purposes other than Laboratory business particularly for personal gain, is governed by the Laboratory policies on performance and conduct, particularly the policy on conflicts of interests. Illegal activities and actions contrary to Laboratory policy will be subject to corrective action.

Incidental use of computing resources for personal activities, education, or communication during free-time periods, off-hours or weekends may be permitted only if it does not interfere with the regular work of the Laboratory. Computer use must not result in non-work-related costs. Incidental use of computing resources that lowers work performance may be a cause for corrective action. As a matter of propriety, common sense should guide the use of visualizations open to public view, idle-time screen displays, and on-screen-photographic images. These should be kept appropriate to the professional environment of the APS. To help meet these ends Argonne requires the use of a URL Filter. This filter monitors web browser requests and refuses connections to web pages based on categories. The targeted categories are deemed to have no direct relevance to any work to be performed in support of the Argonne mission. They are also deemed to provide or display material considered controversial in nature by significant sectors of the general public.

Management of computer hardware must be in accord with the Laboratory policy on property management. Individuals are responsible for the protection of such equipment against damage or theft and for the required record keeping regarding the transport and location of equipment assigned for their use.

All Argonne National Laboratory Computer Systems will display the following banner upon or before login:

Warning Message

This is a Federal computer system and is the property of the United States Government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized site, Department of Energy, and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of authorized site or Department of Energy personnel. Unauthorized or improper use of this system may result in administrative disciplinary action and civil and criminal penalties. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.

 

Security

Security of computer equipment and software is the responsibility of every user. The Laboratory has appointed a Cyber Security Program Manager and each of the divisions a Cyber Security Program Representative. Employees having personal computers will be responsible for compliance of their systems with the Laboratory Computer Security policies.

Standard E-mail, Web Browser, and PDF Reader/Writer

The APS has a variety of desktop personal computers and work stations, with a wide variety of operating systems, running an even wider variety of client software. Limited resources mean that it is not practical to test APS applications with every combination of operating system, client software, and version of client software.

To help ensure a more reliable working environment, the APS Information Solutions (IS) and Information Technology (IT) groups have selected the client software listed in the table below as APS standards. As a standard, the software is fully supported by both the IS and IT groups and has been tested and certified to operate with key APS applications (including the APS electronic data management system - ICMS). As new versions of the client software are released, they will be tested first by the IS and IT groups and, only after compatibility problems have been addressed, will they be placed into production at the APS. Thunderbird and Firefox (both are open-source and based on Mozilla software) were selected in large part because they operate on Intel based PCs, Apples, and Unix-based workstations.

CLIENT SOFTWARE FUNCTION
Thunderbird Email
Firefox Web browser
Internet Explorer Web browser
Adobe Acrobat PDF Reader/Writer

Obviously, not every APS application can be tested with these standards but, by standardizing on these client software programs, the IS and IT groups can more efficiently resolve compatibility problems.

For new releases, the standard versions will be updated at the discretion of the IT an IS groups and will be updated APS-wide.

Users are free to use other browsers and email clients but support for clients other than those listed will be limited.

Guidelines

In making acceptable use of computing resources you must:

  • use computing resources only for authorized purposes.
  • protect your userid and system from unauthorized use. You are responsible for all activities on your userid or that originate from your system.
  • access only information that is your own, that is publicly available, or to which you have been given authorized access.
  • use only legal versions of copyrighted software in compliance with vendor license requirements.
  • be considerate in your use of shared resources. Refrain from monopolizing systems, overloading networks with excessive data, degrading services, or wasting computer time, connect time, disk space, printer paper, manuals, or other resources.

In making acceptable use of computing resources you must NOT:

  • use another person's userid, or password.
  • use another person's files, or data without permission.
  • use computer programs to decode passwords or access control information.
  • attempt to circumvent or subvert system or network security measures.
  • engage in any activity that might be purposefully harmful to systems or to any information stored thereon, such as creating or propagating viruses, disrupting services, or damaging files or making unauthorized modifications to data.
  • use Argonne systems for commercial or partisan political purposes, such as using electronic mail to circulate advertising for products or for political candidates.
  • make or use illegal copies of copyrighted material, store such copies on Argonne systems, or transmit them over Argonne networks.
  • use mail or messaging services to harass or intimidate another person, for example, by broadcasting unsolicited messages, by repeatedly sending unwanted mail, or by using someone else's name or userid.
  • waste computing resources or network resources, for example, by intentionally placing a program in an endless loop, printing excessive amounts of paper, or by sending chain letters or unsolicited mass mailings.
  • use Argonne's systems or networks for personal gain; for example, by selling access to your userid or to Argonne systems or networks, or by performing work for profit with Argonne resources in a manner not authorized by the Laboratory.
  • engage in any other activity that does not comply with the General Principles presented above.

Computer Address Assignments

All IP numbers are assigned by Information Technology. Do not self-assign any IP numbers!

Selecting an IP number yourself will result in network problems and cause your system to be disconnected from the network.

Root or Administrative Password Access

Root or Administrative passwords will not be supplied to computer users for personal computers or workstations connected to the APS network. Computers will be installed with certain areas of the disk drive protected from change by the computer user.

Account Creation and Termination

Individuals requiring an account on any APS computer system must complete the APS Computer Account Request Form. Account requests must be approved by the APS CSPR and the beamline CSPR if a beamline account before being created. Individuals who have no further need for an existing account should make arrangements with IT to archive the data and inactivate or remove the account from the system.

When personnel terminate their employment with the Laboratory, all of their computer accounts will be disabled at 5:00 P.M. on the employee's last day of work with the Laboratory and access to the disabled account will not be permitted. The departing employee must not provide their computer password(s) to any other individual, including their supervisory staff. It is the responsibility of the departing employee to coordinate the disposition of the files in their computer accounts with their own supervisor, as well as the appropriate computer system manager. Employees transferring to other divisions at the Laboratory may make arrangements to keep the account active for a limited time with APS management approval. E-mail forwarding can be provided for a limited time.

Password Protection

Password "cracking" is a real threat to computing security. Reports of password cracking attacks are increasing. APS runs a password-cracking program locally to detect weak passwords. You will be notified if your password is "cracked". You will be given a limited time to chose a new password before you account is disabled. It is extremely important that "good" passwords be chosen and protected by all users.

Sharing your account or your account password with anyone is not allowed.

Access to Accelerator Systems and Networks

Accelerator computer accounts require group leader approval prior to the account creation. Currently this is done via email from the IT group administrators. Only IT administrators have root access to accelerator servers and workstations. If you need any additional software installed on these systems please submit a Support Request. The APS does not allow personally owned computer systems on the accelerator network.

Supported Operating Systems

Windows:

  • Windows 7 and XP are supported at the APS.

Linux:

  • Red Hat Enterprise Linux is supported at the APS.

Macintosh:

  • All Macintosh computers running Mac OS X.

Unix:

  • Solaris is supported at the APS but is being phased out.

Multimedia

Many computers are ordered with CD or DVD readers and sound cards. IT does not support audio/video unless it is required by your job. If the multimedia device causes other required devices to fail then the multimedia device will disabled.

Extraneous Applications

Any entertainment software such as computer games, themes for desktops, sound or MP3 applications, desktop patterns, or internet applications such as Instant Messenger will not be supported. If they cause you machine to malfunction they will be removed. Trouble shooting will not be provided for these applications.

Backup

All APS servers and Windows and Macintosh desktop systems are backed up every night. Home filesystems for Unix and Linux systems are located on their respective servers. Backup tapes of your home directories retained for 90 days and are then reused. All accelerator machine data is retained three years as requested by the accelerator physicists. If you have need to preserve backups longer than 90 days contact IT.

Data backup occurs nightly for most machines. DO NOT turn off your machine at night! Simply log out. If you turn your machine off at night it will not be backed up. If you do not allow your machine to be backed up, then you will not have any way of recovering your data once it is lost through disk failure or if accidentally deleted.

All APS backup tapes are stored in a separate building on-site. Backup tapes are tested either through the user requested restores or, if no requested restores occur in a month, a test restore is performed.

Sensitive Applications

A sensitive computer application is an application that requires a degree of protection because of its sensitive data or because of the harm that could result from improper operation or deliberate manipulation of the application (e.g. payroll, personnel, proprietary code, DOE energy code, reactor control code, loss in excess of $100K)

Do not place sensitive information on an APS computer system.

Resource and File Ownership

All non-proprietary files on any computer owned by Argonne National Laboratory are considered to be the property of the laboratory. The files on a laboratory computer are not considered private or privileged. This includes all e-mail files. For your own piece of mind, do not consider e-mail files secure or privileged.

The relevant system administrators have the right to examine all computer files and to monitor computer usage, to ensure compliance with these rules and to maintain a secure, efficient computing and communications environment.

Server administrators have the right and duty to take such actions as to ensure the proper running of the computing facility in their charge. This includes but is not necessarily limited to accessing accounts not their own, deleting files, taking back-ups and collecting materials not their own.

E-mail

Do not consider e-mail files secure or private. Both the nature of electronic mail and the public character of the Laboratory make electronic mail less private than users might anticipate. For example, electronic mail intended for one person sometimes might be widely distributed because of the ease with which recipients can forward it to others. A reply to an electronic mail message posted on an electronic bulletin board or listserver intended only for the originator of the message might be distributed to all subscribers to the listserver. Even after a user deletes an electronic mail record, it might persist on back-up or local facilities and become subject to disclosure under the provisions of the Law. All employees are to use electronic mail as they would any other type of official Argonne communications tool. This implies that when email is sent, both the sender and the reader should assure that the communications complies with normal communications guidelines. No communications via email should be unethical, be perceived to be a conflict of interest, or contain confidential information. Do not use e-mail for political purposes.

Desktop Servers

No systems intended as servers are to be placed placed into operation. Local computer systems must not run services including (but not necessarily limited to) routing daemons, DNS servers, FTP servers, mail servers , Web servers, etc. Improperly configured servers are commonly penetrated by hackers and used to compromise computers and would interfere with normal computer and network operations at the APS. Cybersecuriy scans will detect these services and offending systems will be removed from the network. APS-IT provides secure servers for all APS Divisions and groups on central servers.

Proprietary Computer Programs

Proprietary programs are computer programs acquired commercially by the Laboratory subject to restrictions regarding disclosure, reproduction, and unauthorized use of the proprietary information contained in the program. These computer programs are usually acquired by the Laboratory under a license and, although the details of each license vary, the improper use of such programs may expose the Laboratory to liability for violation of patent, copyright, trade secret, or other proprietary rights. Vendor licensing regulations will be followed for all commercial software downloaded over the Internet. Trial versions of programs should be deleted after the trial period, or the software should be procured through approved procedures.

Unauthorized Duplication and Use of Software

Unauthorized duplication and use of computer software is contrary to Laboratory and DOE policy and violates the U.S. Copyright Law. Unless otherwise specified in a license agreement, the funds used to purchase a software product represent a license fee for the use of one copy of the software product. Should the software be reproduced or duplicated without authorization, then the U.S. Copyright Law has been violated, making the infringement a Federal offense. If you have a legitimate need for a commercial software product on a personal computer, it should be purchased through the Procurement Department. No other copyrighted software should be on your personal computer systems.

Reporting of Computer Security Incidents

Computer Security Incidents (including viruses) must be reported. A person who believes a computer security incident has occurred on an APS Computer should immediately report the incident to your local Cyber Security Program representative.

ANL Computer Security Incident Reporting Procedure

DOE Order 1360.2A describes significant computer security incidents and requires that they be documented and reported to DOE. The document that defines the ANL procedures to be followed in reporting all unclassified computer security incidents is available on the World Wide Web here.

Purchasing a Computer

In order to provide maximum support for all APS computers the APS has selected standardized systems. Staff members are required to purchase computer systems from a list of standard computer systems.

When your new computer arrives, contact IT group via the "Help Desk" to have the software configures and to have it connected to the APS network. You are not allowed to connect to or modify the network on your own.

Use of Laboratory Computers on Foreign Travel

Argonne National Laboratory protects its computers from unauthorized access in order to preserve the confidentiality and integrity of information as well as to reduce vulnerabilities. Special risks are introduced when a Laboratory computer is taken to a sensitive country.

Any Laboratory computer taken on foreign travel to a sensitive country must be inspected by the cyber security office prior to leaving the United States.

See the Argonne Information Technology Manual

Moving of Computers

The IT Group is not responsible for moving computer systems. Notify IT before the computer is moved to have it removed from the network and reconnected in the new location.