Nicholas School Information Technology - Policies
Administrative Access Agreement >
Backup Policy >
Choosing a Password >
Computing at the Nicholas School >
Data Storage on the Nicholas Network >
ESRI ArcGIS User Agreement >
Faculty & Staff Computer Refresh Policy >
Linux & Windows Security Procedures >
Nicholas School Acceptable Use Policy
Nicholas School IT Security Policy >
Nicholas School User Account Policy >
Sensitive Data Policy >
As an administrator of your computer on the Nicholas School network, you are responsible for paying for, and licensing, any software not provided by Nicholas School IT or Duke University, and providing proof of payment and license when required.
If your computer becomes compromised or non-functional, it will be removed from the network and may be rebuilt to the basic install by Nicholas IT. You will be responsible for restoring data that was stored locally on the computer and any additional software that you installed.
It is understood that certain applications are required on machines (security/patch management/anti-virus) and users with admin rights should not disable these applications. While the computer is on the Nicholas School network, Nicholas IT will utilize these various methods to maintain security patches and updates. Nicholas IT support staff will also maintain administrative access to machines in order to provide support.
Backups of files stored on Nicholas IT's NAS (network attached storage) are performed nightly by OIT. Restore requests should be made to email@example.com.
Depending on when they are requested, restores are generally performed the same business day but can take a few days. Restored data will usually be placed in a separate directory from the rest of your files. You will be notified when the restore is complete, including the location of the restored file(s).
Usually, data stored directly on computers and laptops, either on internal drives or externally attached devices, is not backed up by Nicholas IT. Therefore, we advise that you store important data on Nicholas IT’s NAS (file shares S (Dept), R (Research), U (Archive) or Z (Home) ) or in Box or OneDrive.
If you need backups of data stored directly on a computer, laptop or externally attached device, contact Nicholas School IT.
*NOTE* If a file is both created and deleted during the same day, even if it was saved to your NAS file share (S, R, U or Z drive), we may be unable to restore because it may have not been backed up yet.
You use your network password to login to your Nicholas School account and to access your home directory on the network. When choosing a password, choose a password that is at least 11 characters long. Do not choose a proper name or a single word that can be found in a dictionary - even a non-English dictionary - as your password. Instead of thinking of a password as a word, think passphrase, a longer string of words or a phrase.
For instance, if you have a pet named Snowball, this would be a poor password. It isn't long enough and is too easily guessed or 'cracked' by tools used by bad guys trying to compromise accounts. A better password for example, would be based on the phrase, "I have a cat, I named her Snowball": ih@c,inhSBl
Nicholas School IT can only fully support computers purchased through our office and configured by our staff. Users who choose to purchase computers on their own should be aware that their computer may not be able to be supported by either Nicholas School IT or the Nicholas network.
Computers for new employees are purchased from the funds of the hiring department. New faculty pay for their computers from start-up funds. It can take from 2-4 weeks to configure, order and set up a new computer, so bear this in mind when contacting Nicholas School IT.
Primary vendors for desktop and laptop computers are Dell, Apple and Lenovo.
The standard software install for administrative staff and faculty includes Microsoft Office. Other software may require installation filess and licenses provided by the requester. Administrative access to the computer on the Nicholas network can be granted to users who agree to certain terms and conditions.
Your Duke NetID credentials will be used as your logon to the Nicholas network. All new staff and faculty are assigned NetIDs by Duke OIT. The NetID should not to be confused with the UniqueID - a seven digit identifier used for administrative recordkeeping at the University. With a NetID, and upon the request of the hiring department, Nicholas School IT will provide access to shared network directories.
All users at Duke are provided approximately 5G of personal network storage by OIT. This space is backed up regularly and users are encouraged to save their personal files to this location. We strongly discourage users from saving music and local email files to the network. Music files are best saved to a local computer hard drive and email should be left on the email server. Faculty can arrange for additional network storage for research by contacting Nicholas School IT.
Nicholas School IT budgets funds to replace desktop computers for administrative staff paid from school funds, and in recognition of the administrative tasks performed by many faculty. Currently, these replacements are made approximately every four years. Computers purchased with these funds revert to Nicholas IT when replaced.
Nicholas IT does not support storage of non-work or -class-related personal data, .mp3 or other audio files, audiobooks, movie or video files, or image files on Nicholas School servers.
We do periodically audit disk space usage. If we notice that a user has a lot of non-work or non-class-related .mp3, image, or movie files stored in their home directory, they will be asked to remove this data.
If you have email stored on Nicholas School servers - for example, your local folders are mapped to your Z drive - this email should be moved back to the email servers. Contact us for help in doing this.
The site license for ESRI ArcGIS software is administered by the Nicholas School. Software is available from OIT for installation on University-owned computers.
A basic description of the agreement between the University and ESRI is available here.
The Nicholas IT Computer Purchase Program is designed to provide a streamlined process for purchasing computers for Nicholas faculty and staff. The primary goals of the program are:
- to provide a regular, predictable replacement cycle for faculty and staff computers,
- to allow users to have reasonably up-to-date equipment,
- to ease the support burden on IT staff associated with troubleshooting and maintaining outdated or out-of-warranty equipment and non-standard hardware,
- and to budget accurately for computer purchases.
Nicholas IT will provide a new primary administrative computer approximately every four years for each qualifying faculty and staff member. Qualifying faculty and staff are those members whose salaries are funded by the School's administrative budget, not research grants. Desktop computers are typically assigned to staff, although a supervisor may submit a request to justify a laptop instead. Faculty may choose a desktop or a laptop.
Computers are selected from the Blue Level of the Duke Computer Purchasing Program negotiated with Dell, Lenovo and Apple. Other models in the program may be ordered. Nicholas IT contributes the cost of an equivalent Blue Level model plus the applicable standard warranty. The user must pay the cost difference using other Duke funds. This additional funding is considered to be part of the fully depreciated cost of the device and will not be reimbursed when the device is next refreshed. Computers are the property of Nicholas IT, and must be turned in when a new computer is provided. These computers cannot be retained for use as a second faculty/staff machine, nor purchased for personal use. Nicholas IT will determine if they will be re-purposed for other uses, such as for graduate students without other resources.
When purchasing computers from startup or grant funds, Nicholas IT will help you make selections that will satisfy your requirements and also assure quality support. In most cases the negotiated models and prices on the Duke Computer Purchase Program are sufficient. However, Nicholas IT can assist with customizations, when needed.
Nicholas IT will appropriately configure computers to perform the administrative tasks associated with the staff/faculty position at the Nicholas School. For example, Microsoft Office Professional is installed. Additional software licenses must be covered by the user.
The OIT Security office scans for known vulnerabilities on a regular basis. Nicholas School IT also runs their own scans monthly, producing a monthly report. Critical and High vulnerabilities must be remediated within certain timeframes in order for systems to remain on Duke’s network.
Nicholas IT sysadmins review monthly reports for all Nicholas School subnets. Any machines that are lacking serious security patches will be patched manually or using automated tools. Any systems which appear to be compromised or are a security risk will be immediately removed from the network and rebuilt.
Durham and Marine Lab
The OIT Security office scans for known vulnerabilities on a regular basis. Currently, vulnerability scanning of the Nicholas School Marine Lab subnets also occurs monthly.
Users are educated to use at least 11-character passphrases, non-dictionary words, and to include uppercase letters, numbers, and non-letter, non-numeric characters in their passphrases.
Operating systems are kept current by using Yum, BigFix, Microsoft or Apple Software Updates. Security patches are applied as soon as possible after released.
CrowdStrike antivirus/antimalware is installed on all Duke-owned systems and is configured to report malicious programs and viruses. Virus definitions are updated daily.
Linux servers and workstations use a host-based firewall. Windows servers use a host-based firewall. In addition, a 'VRF'-type firewall also surrounds the Nicholas School subnets in Durham and at the Marine Lab.
IPSEC rules are used via group policy.
Epylog is used to digest and create a daily report of attempted root logins (failed or successful), dictionary attacks, SSH scans and/ or any other potentially maliciously-intended activity on linux/unix-based workstations and servers.
Durham and Marine Lab
To avoid compromising information to the unexpected visitor, we educate users to either lock or log-off of their workstation when they leave the office.
Access to and use of computing and networking resources at Duke are privileges extended to members of the Duke community. Access to Duke's computing and networking resources is limited to authorized users for approved purposes only. Such resources include computer hardware and software, computer-based files and data, and all networks – including the Internet. Approved purposes are those consistent with both the broad instructional, health care and research goals of Duke and with the user's relationship with the institution.
At certain times, Duke may find it necessary to access and disclose information from computer and network users' accounts (to the extent required by law) in order to uphold contractual obligations or other applicable institutional policies or to diagnose and correct technical problems. For this reason, the ultimate privacy of messages and files cannot be ensured. In addition, system failures may lead to a loss of data – so users should not assume that their messages and files are secure.
Neither Duke nor its agents restrict the content of material transported across its networks. While Duke does not position itself as a censor, it reserves the right to limit access to its networks or to remove material stored or posted on computers when applicable Duke policies, contractual obligations, or state or federal laws are violated.
Duke computers and communication systems must not be used for solicitations, chain letters, sexual or ethnic jokes or slurs, email stalking, threats, or harassment
Use of Duke computers or communication systems for any of the above actions may result in corrective actions up to and including termination. An extensive policy that authorizes access and security provisions is available from the Office of Information Technology (OIT): https://security.duke.edu/policies/acceptable-use
The Nicholas School Information Technology Security Policy is couched within the framework of Duke University's OIT Security Policy Statements.
Keeping shared Nicholas computing resources patched, secure and functioning at their best is one of the Nicholas IT department's primary goals. Details are outlined in Standard Procedures for Windows and Linux Security on this page.
Minimum requirements for computers on the Nicholas network (including personally-owned computers) are:
- Secure passwords on all accounts. This includes a passphrase with a minimum length of eleven characters and a combination of characters with upper and lower case letters, at least one special character, and at least one number. An account will be locked after 10 invalid login attempts and the account will be automatically unlocked after 15 minutes.
- Maintenance of an up-to-date operating system, including all security patches, and functioning tools for regularly applying updates (e.g., Yum, BigFix, SCCM, or regular Microsoft or Apple Software Updates).
- Installation of virus scanning software (e.g., CrowdStrike for Duke-owned systems or Avast for personal systems) on computers running Microsoft Windows or Apple OS.
- Administrative accounts, separate from the user’s netid are placed on some Duke-owned Windows systems. These accounts should only be used for administrative purposes ie: installing printer drivers. Use of these administrative accounts should be limited. They are monitored and will be removed if abuse occurs.
If security on any system is compromised, the computer will be removed from the network immediately.
The Nicholas School IT department provides accounts to authorized users of the computer systems in the school. Although these accounts are different from those assigned by Duke University's Office of Information Technology (OIT), the Nicholas account userid will be the same as the user's OIT NetID.
Each account is provided to one user only, i.e. the owner of the account should not share the password. The owner is fully responsible for any actions taken using their account and the content of all the files belonging to their account. Each user must take all reasonable precautions, including proper password maintenance and file protection measures, to prevent use of accounts by unauthorized persons.
Accounts may be revoked or restricted at any time if evidence is found of irresponsible behavior such as "cracking" (trying to break into accounts on this or remote systems) or lending accounts to others.
Home directories are established when accounts are created and are the property of the corresponding user. As a general rule, home directories are considered private.  Group related information or work done for hire should therefore never be stored in a user's home directory.
Group directories will be used for storing files related to that group. Files and directories stored in a research or administrative group project space are the property of the group head. In most cases this is the faculty member or supervisor in charge of that group. This means that if a user is to leave the group, the files contained within the project space are the property of the group head.
 Privacy is used here to the extent as privacy is described in the Nicholas School IT Acceptable Use Policy.
In accordance with Duke University Security Office, Nicholas School does not provide facilities to allow storage of sensitive information on Nicholas School servers, desktops, laptops, mobile devices or external storage devices. Additionally, sensitive information may not be stored on any personally-owned electronic devices or storage devices.
Sensitive information includes the following:
- Social Security numbers (see https://security.duke.edu/policies/data-classification-standard)
- Credit Card numbers
- ePHI (HIPAA)
- FERPA protected (non-directory information)
- Prospective Student data
- Donor data
- Contract data
- Financial data
- HR data
- Physical Plant details
- Certain management information
SOME (not all) sensitive data can be stored in Box. For more information about what sensitive information can be stored in Box, see: https://box.duke.edu/security-and-usage/
Duke’s IT Security office periodically scans our network storage for sensitive data using Duke Security Office recommended DLP (Data Loss Prevention) tools. This scanning does not include desktops, local or group server storage, laptops, mobile or external storage devices. Only centralized network storage that Nicholas School IT uses is scanned.
If sensitive data is found, the user is notified and given three options (social security numbers may not be stored at all unless explicitly approved by the Executive Vice President of Duke University):
- Modify the data or document to remove the sensitive information
- Remove/delete the data or document
- Advise Nicholas IT that the user has a business need to store the data, at which point we will assist the user in moving the sensitive data to secured (encrypted) storage managed by ITSO/OIT.
If you need to retain sensitive data or if you have questions about this policy, please contact Nicholas IT so that we can assist you.
More information about sensitive data can be obtained at http://security.duke.edu/policies-procedures.