Research Server Management

CSE IT aims to make customized computing systems available to research groups while maintaining a safe, secure, and functional environment that is compliant with the University's IT policy and system administration best practices.  

For situations where it is beneficial for a research group to configure and manage its own computing systems, CSE has adopted a model to allow "Researcher Managed" machines to operate on designated networks where trusted users have administrative access to resources owned by their research group.

Researchers should thoroughly read this documentation and understand the specified guidelines and best practices for managing their own computing systems.

Researcher Managed systems are administered by a researcher and their team, allowing them to make changes to the operating system, install the latest versions of software packages, and manage user accounts. This level of control provides researchers with a platform that can be customized to their specific research goals while balancing more efficient access to configuration settings with an acceptable level of stability. Researcher Managed systems can more easily be used for the development and deployment of cutting-edge software implementations.

Management and administration of computing systems is not a task to be undertaken lightly. Very real and dangerous consequences can arise if misconfigured systems become compromised and failure to adhere to system administration best practices could have a detrimental effect on the performance and stability of other systems on the network. For these reasons, Researcher Managed systems are placed on protected networks that limit the opportunity for abuse of other computing resources, and the responsibilities of the research team and CSE IT staff are well-defined.

The researcher and their team agree to take responsibility for configuring and maintaining the system and ensuring that it remains in compliance with all CSE and UB IT policies. This includes, but is not limited to, the following tasks:

1. Operating system installation, configuration, and updates.
   
2. Software installation, configuration, and updates.
   
3. Hardware repair and replacement.
   
4. Data backup and recovery.
   
5. Security fixes, antivirus functionality, and mitigation of system compromises.
   

Researchers are solely accountable for addressing problems on the systems they manage. This includes, but is not limited to, the following:

1. Hardware failure or data loss occurs.
2. Intellectual property, digital rights, or software/media piracy laws are infringed upon.
3. Instability or misconfiguration on the system compromises other systems on the network.

Researchers agree to adhere to all IT policies and guidelines provided by the Department of Computer Science and Engineering and the University at Buffalo. Failure to adhere to these policies will result in the removal of the Researcher-Managed system from the network.

An overview of UBIT's policies can be accessed here:

https://www.buffalo.edu/ubit/policies.html

The CSE IT staff agree to provide the Researcher Managed system with a connection to a protected network in compliance with UB's IT policies. Outgoing network access is generally unrestricted. Incoming access is limited to on-campus network connections or connections made via the UBVPN.

The logistics of supporting customized operating systems and software configurations limit the amount of help that CSE IT staff can provide for Researcher Managed systems. CSE IT staff will support Researcher Managed systems on a "best effort" basis. Researchers are welcome to ask CSE IT staff questions about their systems, but staff may not be able to help with every problem.

The CSE IT staff retains the right to disconnect Researcher Managed systems from the network, with no notice to the managing researcher, if it is deemed that the system is causing network instability, acting suspiciously, or has been compromised.

The following configurations are required for all Researcher Managed systems. Failure to maintain these configurations will result in the removal of the Researcher Managed system from the network.

1. CSE IT Administrative Account.  Create an account named "cse-it", with full administrative permissions. The CSE IT staff will use this account in emergencies, to periodically audit the system, and to ensure continuance of the server's availability (occasionally, the cse-it account is the only way to access a system because all the principals who configured the system have either left UB or misplaced their account credentials).  Assign the cse-it account an arbitrary password, then communicate this password to the CSE IT staff so that they can change it.
2. Network Configuration. Research Group-Managed systems are provided network settings through the Dynamic Host Control Protocol (DHCP).  As part of connecting your system to the network, you will be asked to provide both a MAC address and a desired hostname (if applicable to your research group).  Do not manually configure network settings without first checking with the CSE IT staff.  DHCP will manage your server's static IP address that will work properly as long as your server's MAC address does not change.
3. Microsoft Defender Endpoint. CSE IT requires that Microsoft Defender Endpoint be installed on all workstations connected to the CSE network. CSE IT will handle the initial installation of this software using the CSE IT Administrative Account.

The following guidelines should be used as a starting point for meeting the IT policies of the Department and University.

1. Antivirus Software.  For MacOS and Windows installations, install antivirus software and update it regularly.
   
2. Host-based Firewall.  Enable the host-based application firewall to further protect your system from malicious network traffic.  For further details, consult the documentation for your operating system.
   
3. Operating System Automated Updates.  Enable automated updates to keep your system updated with the latest security releases. For further details, consult the documentation for your operating system.
   
4. Account Management.
   • Create strong passwords/passphrases for all user accounts.
     
   • Create distinct user and administrative accounts.  An administrative account should only be accessed when a software installation or configuration change is needed.  Normal work should be done with an unprivileged user account.
   • Windows users should disable the built-in "Administrator" and "Guest" accounts.
   • Linux and MacOS users should use sudo from a user account instead of the root user account.
   • Keep user accounts that you create consistent with UBIT user accounts, including the same userid id (UID) and group id (GID) values. This is essential when interfacing with remote CSE and UBIT systems and services.
5. Hostname Management. Keep the system's local hostname consistent with its corresponding Domain Name System (DNS) record. Use the nslookup command to verify the name allocated for your machine in DNS.  Select a hostname that is meaningful to you and the other members of your team.