Security Basics

Desktop Security Best Practices

IT Security

1. Keep operating system patches up to date
2. Install antivirus software and configure
3. Check periodically for updates to your software (Office XP, Browser, et...)
4. Be very cautious with email attachments
5. Enable personal desktop firewall
6. Secure PC user accounts and processes
7. Exercise Extreme Caution Using Peer-to-Peer File Sharing
8. Utipze "good" passwords and change them at least every 90 days
9. Perform regular scheduled backups
10. Avoid Programs containing Spyware
11. Shutdown your computer when not in use

1. Keep operating system patches up to date:

Windows operating system is the most prevalent computer operating system interface on the campus and the world. As the most prevalent, it is therefore one of the most targeted operating systems on personal desktops. To protect windows computers, Microsoft releases "patches" to the operating system as vulnerabilities are discovered. These are discovered frequently; therefore patches must be installed on a regular schedule. To assist in this, Windows has made the operation of patching a system as easy as possible. The following lists ways to protect your PC through improved security. Once at the site, select your operating system type and follow the instructions.

Unix (All variations): for Solaris systems, the patch sets are available at here (requires support agreement). We recommend you install the "Recommended OS Patch set".

For Irix systems: the patches are available at here (requires support agreement).

For AIX: download and install the patches from here.

For HP-UX systems: download and install the patches using SWA located at here or login to here (requires support agreement). Click on patch management in the left-hand menu.

For Linux systems: install the newest stable packages for your distribution.

For SuSE Linux Enterprise Server: security patches.

Red Hat: security updates.

Debian: security Alerts.

Other Operating Systems: Check the web page of the company that makes the operating system or call them directly.

2. Obtaining Antivirus Software and Installation:

The University recommended antivirus solution for PC's is Symantec antivirus. The software can be purchased for departmental and faculty/staff use via the web site. Once installed, Symantec antivirus should be configured for daily signature file updates and scans as per the following sections.

Signature File Update Configuration
Antivirus software utilizes a "signature file" that contains virus definitions to identify and remove virus infected files from your computer. To keep your computer virus free, this signature file must be updated frequently. The Office of Information Technology recommends that your antivirus software check for and, if available, update this file on a daily basis. The following instructions demonstrate how to Endpoint Protection for daily signature file updates.

Setup Scans of Local Drives Configuration

Your antivirus software should be configured to actively detect virus activity, but IT recommends that you scan your entire computer on a periodic basis for infected files. The following instructions demonstrate how to setup daily scan schedule.

3. Software Updates:

Updated versions of software are released periodically as "bug fixes" or patches as flaws in the software are found. To ensure the most effective security for your PC it is a good idea to review and install these patches as they become available for any software installed on your PC. ALWAYS BACK UP YOUR DATA before any new software or updates are applied as it is possible the patches will not work with your combination of software and all its various releases. This way you can return to a previous known state in the event a patch disables other software. To obtain these patches you must return to the manufacturer of the software. For example: Windows maintains a WEB site for just the Office Suite of tools.
(Note: Use Microsoft Internet Explorer whenever you visit the Windows or Office update pages)

4. Email Attachments:

Most computer virus infections are transported via email as attachments. NEVER open an attachment without first verifying the sender actually intended to send the information as an attachment. The most common error that causes attachments to be opened is that the "attachment came from someone I know". There are a couple possibilities that could result in an attachment being sent from a person you know. First, if the person you know became infected, their computer could be sending out infected attachments without their knowledge. Second, it could be a forged "from" address. It is not uncommon for a virus on an infected computer to use entries in the infected PC's address book and place these into the "from" field so they appear to come from someone other than the infected PC.

5. Enable Personal Desktop Firewall

A firewall is a system that is designed to prevent unauthorized access of a computer from the network. Firewalls can be implemented in hardware, software, or both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks and personal computers that are connected to the Internet. The following links detail firewall solutions broken down by operating system type.
All Windows OS Security can be found at
http://www.microsoft.com/security/default.aspx.
For MAC security refer to
http://www.sans.org/score/checklists/Mac_OSX_Checklist1_1.pdf

6. Secure PC user accounts and processes:

One of the most common techniques for obtaining unauthorized access to desktop PC's is through existing user accounts and unnecessary services configured with the default parameters. In Windows 2000, XP, and other multi-tasking and multi-user operating systems various accounts and services are created when the system is initially installed. The following article lists several good tips to securing accounts and suggests services which can be disabled (http://www.windowsecurity.com/articles/Windows_XP_Your_Definitive_Lockdown_Guide.html). While this site is written around Windows XP, these principles can be applied to any multi-user, multi-tasking operating system.

7. Exercise Extreme Caution Using Peer-to-Peer File Sharing:

Peer-to-Peer file sharing can open any desktop PC to numerous security vulnerabilities. Software such as KaZaA, Limewire, iMesh, normally install with file sharing activated. This means that other computers running the same software, whether locally or anywhere on the Internet, can download from the shared folder on this PC. As with any process, if it is not necessary, disable it. Problems associated with peer-to-peer file sharing are:
1. Several computers providing downloads can adversely affect network bandwidth for the University as a whole. The result is a slower network for everyone.
2. The Motion Picture Association of America and the Recording Industry are gressively locating copyright violations. There have been numerous published articles listing prosecutions of these violations.
3. Any time you download via a peer-to-peer application, you open the possibility to obtaining viruses embedded in the files transmitted to your PC.
4. Most of the music sharing programs install other spyware and adware without your knowledge that can adversely affect the performance of your computer and also open back doors to allow attackers access to your machine.Be very cautious when installing any music sharing program.

8. Utilize "good" passwords and change them at least every 90 days

User names and passwords are the method by which computer systems identify authorized personnel. The objective in creating a password is to make it as difficult as possible for someone to derive or "guess" thereby gaining access to a system. There are numerous methods a criminal might use to accomplish the task of obtaining a password. There are programs that apply dictionaries to the search, and then use common techniques such as looking for the user name and password set as the same word. Common character exchanges such as "0"(zero) as the letter "O". Given that the average PC can execute programs that try passwords at the rate of millions per second, a bad password can be "derived" in a relatively short period of time. Applying good password techniques relegates the criminal to running "brute force" attacks which typically take longer to break. Longer is a key term, even good passwords can be derived given sufficient time and resources. This is the reasoning in changing even good passwords on a periodic basis and not re-using old passwords frequently. The following is an excerpt from the SANS Institute web site on passwords:

General Password Construction Guidelines

Poor, weak passwords have the following characteristics:
1. The password contains less than eight characters
2. The password is a word found in a dictionary (English or foreign)
3. The password is a common usage word such as:

A. Names of family, pets, friends, co-workers, fantasy characters, etc.
B. Computer terms and names, commands, sites, companies, hardware, software.
C. The words "Ole Miss", "olemiss", "um" or any derivation.
D. Birthdays and other personal information such as addresses and phone numbers.
E. Word or number patterns like "aaabbb", "qwerty", "zyxwvuts", "123321", etc.
F. Any of the above spelled backwards.
G. Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

Strong passwords have the following characteristics:
1. Contain both upper and lower case characters (e.g., a-z, A-Z)
2. Have digits and punctuation characters as well as letters e.g., 0-9, ! @#$%^&*()_+|~-=\`{}[]:";'<>?,./)
3. Are at least eight alphanumeric characters long.
4. Are not a word in any language, slang, dialect, jargon, etc.
5. Are not based on personal information, names of family, etc.
6. Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation.
NOTE: Do not use either of these examples as passwords!

9. Perform regular scheduled backups:

With the continuing increases in processing capabilities and available disk space desktop PC's are maintaining more mission critical information important to end users, departments, and the University in general. Backup procedures have been around since the days of large mainframe computers. These same procedures are expected to be implemented in server/workstation environments. The area that is most commonly overlooked is the backup of desktop PC's. Most campus users conduct their campus business via documents created on their local desktop PC and transmit correspondence via email. Given this, PC's should be backed up with the same care and schedule as previously afforded to servers and mainframes. The thought that must always be considered, is that ANY data entered since the last backup is subject to be lost in the event of a drive failure. Another thing to consider is that you might be required to revert to a previous backup in the event of an electronic break in. If a criminal illegally gets in your computer, confidence in all your documents must be questioned; whether financial or personnel information.
Microsoft TechNet had an article on Backup and Recovery that can assist you developing your backup and recovery strategy.

10. Avoid Programs containing Spyware:

Many programs that seem to have legitimate uses or provide a useful service to the user also contain malicious software. This malicious software is often installed without the users' knowledge when installing the host program. These malicious programs do things such as causing pop-up ads, hijacking your browser's homepage, installing keyloggers, etc.

Examples of programs that contain spyware and other malicious software are:
1. WeatherBug
2. Gator / GAIM / GAIN
3. iMeshShopAtHome
4. BargainBuddy
5. eDonkey
Stay away from programs if possible.
There is a utility available on the Helpdesk website called SpyBot Search and Destroy that will aid with cleaning infections of spyware. Run it on a regular basis.

11. Shutdown your computer when not in use:

This practice is listed for the obvious reason that a computer that is turned off cannot be electronically compromised. If a computer is not required to run overnight or over the weekend, it should be shutdown and power off. Not only will this alleviate the danger of a criminal breaking into the system electronically, it will save power.