Security policies for F@H clients

[dvunkannon]

I'm trying to design a Vista security policy that would make my company feel more secure about running F@H on corporate resources. Has anyone done similar work that they can talk about? Right now, I'm just thinking about a very simple policy that enforces things like -
- check hashes
- only install/start/run in directory foo
- no file access allowed outside of directory foo
- no connection to another site except for F@H server

I'm hoping that handing my IT security people a security policy on a silver platter will reduce their (expected) antagonism.

[7im]

Compare hashes to what list? They are only listed on the fah download page, and change every so often when the clients are updated.
The Systray client uses 2 directories, don't forget both.
Same for file access.
There are 20+ fah servers, and some are located at Universities other than Stanford's IP range.

What about registry access restrictions?

Which clients and types are you going to support? More than just the SMP client? Each may have different needs...

IMO, this is overkill, and will cause more problems than solve. The project has over 6 years of history to back up it's strong security measures. And the list of Universities and Corporations that contribute to fah is long. I'd recommend collecting and presenting that kind of data to IT. Geeks love facts and figures. Then ask for a pilot program, run fah on a few test systems. When that passes, full steam ahead.

[dvunkannon]

SMP client? I was just hoping to get corporate blessing for the uniprocessor client running on people's laptops! But most of our laptops are exposed to sensitive client data, and spend time attached to client networks. So ultimately it is our lawyers who must be satisified, not our IT dept. The closer I can come to a "guarantee" that F@H can't read/copy/xmit client data, the happier they will be. The experience of others will count for less than the active enforcement of a security policy. That said, any content that outlines the security measures in place is going to be helpful, so I appreciate any pointers in FAQs or Wiki pages.

[7im]

I understand. CYA... here is a little to chew on for a while...

Rules and Policies (including Privacy policy)
Main FAQ: What about Security Issues?
End User License Agreement

And they don't just give these out to anyone, and it's not likely you'd get one if the project had security issues: Folding@Home recognized by Guinness World Records

And a suggestion, for when you do finally get permission to run fah... get it in writing, so those lawyers aren't as likely to change their minds later on.

[kelliegang]

To be honest if you're talking about installing it on laptops used on the roam with critical client information I dont see you having any luck with any decent legal team trying to convince them to run any ancillary program

I wish you luck but perhaps you should aim at something less critical to operations... that would be like asking a bank to run folding@home on their computers... it's simply not going to happen. I'm surprised that they even let anyone check email

[7im]

IIRC, we have had several banks contributing to the project over the years, though as I recall, one less lately.

[kelliegang]

That is impressive.

My father used to work on server mainframes at one of our banks in Aus... the security procedures they had in place for any consoles which had even the slightest access to these was extreme... The only computers they were not overly zealous in protecting was the receptionist's computer and the marketing department networks in the main office.