Clerk computers - Reconfigure Sophos firewall (permitted applications?)

Discussions around the setup, operation, replacement, and disposal of clerk computers, not to include using MLS
jcoleymail-p40
New Member
Posts: 4
Joined: Sun Jan 17, 2010 5:22 pm
Location: Prosper, TX, USA

Clerk computers - Reconfigure Sophos firewall (permitted applications?)

Postby jcoleymail-p40 » Wed Jan 20, 2010 7:16 pm

I'm the STS and have successfully :D upgraded all our clerk computers with the new security software, including the Sophos Client Firewall. First thing, one of the clerks hit me up as they are having issues running the WardTools MLS Converter application to export data from MLS to an iPhone application.

Start Time Application Direction Protocol Remote Address Remote Port Reason
3:06:18 PM ward tools updater.exe IN REFUSED TCP 192.168.1.104 49589 Deny TCP any/any
3:06:15 PM mdnsresponder.exe IN REFUSED UDP 192.168.1.104 5353 Deny UDP any/any
3:06:05 PM mdnsresponder.exe IN REFUSED UDP 192.168.1.100 5353 Deny UDP any/any
3:05:58 PM mdnsresponder.exe IN REFUSED UDP 192.168.1.104 5353 Deny UDP any/any
3:05:48 PM mdnsresponder.exe IN REFUSED UDP 192.168.1.100 5353 Deny UDP any/any
3:05:41 PM mdnsresponder.exe IN REFUSED UDP 192.168.1.104 5353 Deny UDP any/any
3:05:39 PM ward tools updater.exe IN REFUSED TCP 192.168.1.104 49585 Deny TCP any/any

So, I have a two-part question:

1. Is it permissable for me, as STS (or the local unit, for that matter) to modify the default configuration of the Sophos firewall to permit additional applications to be run on the ward clerk computer? I've seen references in other threads which seem to indicate the decision to add software is up to the local stake president. But I don't know if that extends to altering the security software.

2. Is there an official policy regarding the export of MLS data for use on a phone (Blackberry, iPhone, etc.)? I realize there is a PDA export option in MLS for Palm, but I am not familiar enough with it to know if it contains sensitive information like membership records, ordinance dates, etc. It looks like the Ward Tools program *does* export this information. There seem to be a variety of applications out there designed to pull information out of MLS, with varying degrees of security (or lack thereof); including passing MLS login credentials out to 3rd parties.

I've been doing audit & compliance work long enough to understand there are significant challenges of securing data on privately-owned mobile devices. Add the additional responsibility to "ensure that all computers, software, and confidential Church information are secure", and I just get a bad feeling about this.

From https://tech.lds.org/wiki/images/a/aa/Policy_and_Guidelines_for_Computers_Used_by_Clerks_for_Church_Record_Keeping.pdf

[font=Times New Roman][size=134]Security[/SIZE][/font][font=Times New Roman][size=100]Information about members, donations, and
financial transactions is confidential and should
be protected from unauthorized disclosure.
Computers should be located in secure areas
where bishopric or stake presidency members
and ward or stake clerks can work with and print
this confidential information in private.


...
[/SIZE][/font]
[font=Times New Roman][size=100]Church information downloaded to[/SIZE][/font]
[align=left][size=100][font=Times New Roman]personal digital assistants (PDAs) for authorized

use by priesthood leaders should also be

password protected.
[/SIZE][/font]
[/align]

russellhltn
Community Administrator
Posts: 20764
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Wed Jan 20, 2010 7:27 pm

jcoleymail wrote:1. Is it permissable for me, as STS (or the local unit, for that matter) to modify the default configuration of the Sophos firewall to permit additional applications to be run on the ward clerk computer?


Good question. Lacking any information that it is permissible, I'd tend to suggest that it's not.

I guess the first question I have is why is the firewall interfering? What line of communication is being blocked? If we can understand exactly what is being blocked, we might be able to create a more informed opinion. From what I can tell from your logs, it's blocking communication on the local network.

jcoleymail wrote:2. Is there an official policy regarding the export of MLS data for use on a phone (Blackberry, iPhone, etc.)?


Other then it needs to be password protected and not uploaded to 3rd party servers, no. However, I would involve the Bishop in who is getting the information and what the information contains.
Have you searched the Wiki?
Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

jdlessley
Community Moderators
Posts: 6526
Joined: Sun Mar 16, 2008 11:30 pm
Location: USA, TX

Postby jdlessley » Wed Jan 20, 2010 8:40 pm

jcoleymail wrote:1. Is it permissable for me, as STS (or the local unit, for that matter) to modify the default configuration of the Sophos firewall to permit additional applications to be run on the ward clerk computer?
The first thing I did after installing Sophos on the stake computer was to try to view the configuration settings. I was not able because the configuration for both the firewall and the anti-virus are remotely controlled by Church headquarters. The Sophos administrator profile password is required to access the configuration settings. From any other local computer profile the configuration settings are not available (greyed out).

jcoleymail wrote:I've seen references in other threads which seem to indicate the decision to add software is up to the local stake president. But I don't know if that extends to altering the security software.
The 18 August 2009 Policies and Guidelines for Computers Used by Clerks for Church Record Keeping states:
No other software should be purchased or installed on Church computers unless it is approved by the stake president, is appropriately licensed, and does not interfere with the operation of or compromise the security of the Church software and data already on the computer. (emphasis added)
If software is not to interfere with the operation of or compromise the security of the Church software (Sophos, for this definition, is Church software) then I would read into that a corollary that we, without proper authority from Church headquarters, should not do this also. Of course this is mute since the configuration settings are not accessible locally.

I would seek approval and assistance through the Global Service Center for any local needs requiring modification to the firewall settings.
JD Lessley
Have you tried finding your answer on the LDS.org Help Center page or the LDSTech wiki?

drepouille
Senior Member
Posts: 1229
Joined: Sun Jul 01, 2007 5:06 pm
Location: Plattsmouth, NE
Contact:

Workaround

Postby drepouille » Sat Jan 30, 2010 8:35 pm

If the Sophos firewall were preventing me from doing something I needed to do, I would disable the Sophos firewall service, do what I needed to do, then restart the service.

But yes, I agree that we should all follow the stated guidelines.

Dana


Return to “Clerk Computers”

Who is online

Users browsing this forum: No registered users and 1 guest