As part of the current security initiatives here at Stanford University, we have taken a number of steps to ensure we can provide a safe and secure computing environment at the School of Medicine. The WinSecure network is one of these solutions.  

The WinSecure Network is a protected network for WindowsXP and other systems which manage specialized research instruments or software applications that cannot be upgraded to meet Stanford security requirements.

It has been one year since patches for Windows XP have been available. To compensate for the risk posed by this and other unsupported operating systems, we will move your Windows XP or other device to a special network that provides additional technical protections. To initiate this process, please submit an exception request.  

Please Note: If you have already filled out an exception request, you still must make provisions to protect the device in question. We would like to be clear: just because an exception has been submitted or approved, it doesn't mean your system is being protected. An exception is merely the beginning of the process: if we judge your system as it is cannot meet current Stanford security requirements, finding an alternate way to protect your system is the next step. Migrating your system to a safe and secure computing environment such as the Win Secure network can be that next step. If you need to schedule an appointment to have your device moved onto the network, please contact us through HelpSU or send an email to irtsecurity [at] lists.stanford.edu.

Clients must acknowledge and accept special network use rules for devices on this network.

• Network subnets for WinSecure machines are limited to a range of 14 devices each (/28) to limit the risk to others, should a machine become compromised. 
  
• Data transfers out are allowed, but no email or web services out; incoming traffic is severely limited as well.
• No traffic between these subnets is allowed.

• All outbound SMTP (email) and Web access is blocked from the WinSecure subnets.
• Outbound file transfers are allowed to Stanford hosts (IRT Security needs to know which host will be accepting data transfers and make sure that firewall rules allow this access).
• Please discuss remote management or off-campus needs with IRT Security so we can ensure the proper configurations can be established.
• In general, off-campus outbound traffic is blocked.
  
• Inbound ping and traceroute are allowed from on-campus.  
• Other specific requirements should be individually identified and discussed with IRT Security.  We can be reached via HelpSU
  or via email to irtsecurity [at] lists.stanford.edu.
  
•  

• Wireless connections are inherently insecure. Wired connections are required for devices on the WinSecure network.
  
• No USB input to the Windows XP devices without special approval. Transfers should be done over the network.
• Software License USB Keys are allowed to use the USB Ports.
• BigFix client should be installed, although there are instances where BigFix may interrupt ongoing work processes.  In that case, please run the Stanford Device Enrollment app, a one-time process to register your machine that will not incur any continued interruptions or reporting to or from your computer.  You can reach the Stanford Device Enrollment page at https://itservices.stanford.edu/service/enrollment.
  
• Remote Access Requirements:
  • Direct Remote Access from within the Stanford network must be via hard-wired ethernet connection. 
    
  • No direct Wireless Remote Access is allowed.  
  • Off-campus Remote Access for management or vendor support can be accomodated through VPN and workgroups.  Please discuss this with IRT.