Guidelines

• Overview
• Basic Workstation/Laptop Security
• Additional Workstation/Laptop and Server Security
• Defense in Depth and Network Defenses
• Detecting a Compromise
• Other .edu references

Please note that the official University guidelines reside on the ISO webpage.

 

The guidelines on this page are cumulative, so the ten guidelines in the second section should be applied on top of the ten guidelines in the first section. Please note that this section, like the entire webpage, has recently been entirely revamped -- if you have suggestions for additional resources to add, please drop us a comment with the SecOps Service Request form under the "Other" category.

 

The US CERT also has an excellent page on good practices for safe personal computing.

To top

Basic Workstation/Laptop Security

• Use strong passwords and keep them safe
  Be sure to use complex passwords, periodically change your passwords, and try to minimize the use of the same username and password combination in multiple places. This is especially important for administrator accounts. One common response to having a weak password is that the account holder has 'nothing to hide or nothing important' on the account, which unfortunately poses a huge risk to their colleagues or fellow students. Think of your password as a key to a secure office which also opens the main door to the office building -- even if there is nothing important in the office itself, losing the key allows an intruder to get into the office building and makes it that much easier to break into other offices in the same building.

• Microsoft - Strong passwords: How to create and use them
• Official University Password Guidelines
• SANS sample password policy

• Patch your operating systems AND your applications (such as Microsoft Office)
  Patch both your operating system and applications. Microsoft Office, Symantec Anti-Virus, Veritas Backup, and Oracle are just a few examples of popular applications which have put out critical patches. Systems administrators may wish to read the SANS @RISK newsletter which helps keep track of what new vulnerabilities are out there and need addressing. Automated patching (such as Windows Automatic Updates) can make the patching process easier for your operating system and some applications can prompt when new updates are ready to be installed as well.

• Official University Patching Guidelines

• Antivirus, firewalls, and antispyware software is available from Sitelicense
  Be sure to have up-to-date antivirus running and monitor your anti-virus activity, but be aware that anti-virus is not foolproof. Also, make sure you have a host-based firewall running. Most modern operating systems have a firewall built-in that just needs to be activated, such as Windows Firewall (Windows XP SP2), or IPTables (Linux). Sitelicense has Sophos (anti-virus), Kerio (host-based firewall), and Counterspy (anti-spyware program) available at no cost to students, staff, and faculty. We have a separate section regarding host-based security applications.

• Office of Student Computing Resources (OSCR)'s New Student Guide to UA Computing
• Office of Student Computing Resources (OSCR)'s Security Introduction
• Official University Anti-virus Software Guidelines
• Official University Firewall Software Guidelines
• Official University Spyware and Adware Prevention Guidelines
• Sitelicense page for Sophos
• Sitelicense page for Kerio
• Sitelicense page for Counterspy
• University of Texas has a set of more detailed guidelines for securing workstations
• SANS sample anti-virus policy
• SANS sample server malware protection policy

• Raise your security awareness
  Improve your awareness and stay safe from threats such as malware and email scams.

• Ouch! SANS security awareness newsletter
• University Information Security Office Awareness material archives
• University Information Security Policy

• Filter your spam
  One way of reducing the risk of email threats such as phishing or email viruses is to make sure that the malicious emails don't get displayed in your mail client to begin with.

• Spamfiltering
• Official University email client and usage guidelines
• SANS sample email policy

• Consider physical security for your computer
  Remember security threats that can occur at your keyboard as well as remotely, which is especially true if your computer is in a publicly accessible area. Even if your computer is in a locked office, remember that more people than you would think have access to your office (co-workers, facilities crew, janitorial staff etc). Use a password-protect screensaver, and make sure it starts in a reasonable amount of time. Also, consider turning off auto-complete for information entered on web forms, and not saving passwords on your computer.

• Back up your data regularly
  Remember to regularly to back up your data on removable media that can be kept in a safe place, not next to your computer. Various common backup mechanisms include burning CD/DVDs, copying files onto a USB jump drive or external hard drive, or tape backups. The backup mechanism that is best for you depends on the type of data, how much data, and the frequency of your data being backed up. Your IT support group may be able to provide more assistance with your backup process.

• Draft University backup policy

• Keep your original CD/DVD media
  Be sure to have your original installation CD/DVD media and license keys kept in a safe and accessible place.

• Use least privileges whenever possible
  Help protect yourself and your department. Running your workstation as local administrator for day to day use can do a great deal of harm to your network from behind your department’s firewall by letting infections and malware bypass network defenses. Compromising your workstation while running as a local administrator is easy, by clicking on email viruses, getting infected with an IM worm, going to the wrong webpage, etc. If somebody 'must' run as full administrators regularly, using 'Drop My Rights' from Microsoft can be very helpful to limit the damage that can be done through certain applications such as web browsers or email clients:

• Microsoft's 'Drop My Rights' application

• Restrict and protect remote login access
  Remote logins (Remote Desktop, SSH, VNC, etc) should be restricted to a few trusted IP ranges, plus VPN (campus VPN is 150.135.112.0/22 or, 150.135.112.x, 113.x, 114.x, 115.x).

• Sitelicensed VPN
• SANS sample remote access policy

To top

Additional Workstation/Laptop and Server Security

Please note that the ten guidelines below are cumulative with the ten guidelines above in the basic workstation/laptop security section

• Know what sort of data you have, especially 'sensitive data'
  Be aware of sensitive data (credit card numbers, SSNs, student/staff records, health/HIPAA records, etc) that may reside on your network, and which machines this data resides on. If there are industry regulations which pertain to this data (such as HIPAA), make sure that the baselines at least are being met. Encrypting sensitive information is a good idea, and especially so on mobile devices that are more likely to be physically stolen.

• For newer Windows OSes, use NTFS and turn off simple file sharing
  In Windows XP, Simple File Sharing is turned on by default, which removes the degree of granularity you can have while specifying who can access your file shares -- it may be advisable to turn off SFS. Newer Windows OSes support NTFS instead of FAT -- NTFS provides improved security, more granular file access control, encryption, and better compression.

• Microsoft's article on 'NTFS versus FAT'

• Use encrypted protocols instead of their cleartext equivalents, such as SSH instead of telnet
  Cleartext protocols allow somebody who is sniffing the network to easily steal passwords and session information. There are many popular, freely available SSH clients such as PuTTY, or WinSCP for secure file copy. Sitelicense also has local copies of SSH client software.

• PuTTY
• WinSCP
• Sitelicense SSH client software

• Have logs, and review them
  Make sure that you are logging security events (Global Policy or Local Security Policy under Windows), and periodically examine your Event Logs to look for unauthorized logins or attempts, among many other things such as system health.

• Baseline your machine -- know what's normal so you can detect anomalies
  Know what services, processes, and network ports should be running on your systems normally, and periodically look for deviations (ie, create a baseline and look for anomalies). Some good resources for this include the Sysinternals toolkit (relatively recently acquired by Microsoft), but specifically TCPView, Process Explorer, and Autoruns:

• TCPView
• Process Explorer
• Autoruns

• Turn off any services you don't intend/need to be running
  Reduce your surface area for vulnerabilities by turning off services which you don't need to be running. A service that isn't running is usually a service that can't be exploited. Do this very carefully, however, as some services which many not have an immediately obvious purpose could have critical backend functionality.

• Benchmark your systems
  Compare your machine's security against benchmarks. The Center for Internet Security (among other resources) has a number of variably applicable benchmarks to test against.

• Consider multi-factor authentication
  If you have machines which have particularly sensitive data, you may wish to consider multi-factor authentication (such as RSA ID, just as an example) to get to those systems, or other additional protection mechanisms (separate small hardware firewall, etc).

• On production systems, use what you know
  The most secure operating systems and applications are the ones that the administrator understands and can secure best. Keep test applications and systems separate from production systems, and try to have different sets of credentials as well. Please be a 'good netizen' when setting up test systems, though -- remember that if compromised, your test system can be used as a jump-off point to attack others on your network or on campus.

• Utilize more references
  A quick Google search can often turn up numerous other guides on securing your operating system better. When reading any of those guides (and this one!), carefully consider your own environment before applying the advice or guidelines.

• The NSA has very extensive guides for securing end-points, including operating systems, applications, database servers, etc
• University of Texas guidelines for securing servers
• SANS sample policy for server security
• There are some dated (circa 2001) SANS guides for securing servers from the Sitelicense site.

To top

Defense in Depth and Network Defenses

• Have a network-based firewall or access-list
  Primary network managers should make sure that their subnets have some sort of network based access-control, whether it's with a firewall, RACL, etc, and that the rules on the firewall/RACL are up to date. A properly configured firewall can significantly reduce a network's exposure to outside attacks.

• Requesting a Managed Firewall (NetID login, registered network managers only)

• Secure your subnet on the campus perimeter firewall
  Network managers can also consider having their subnets protected on the perimeter firewall, to block much of the constant scanning coming into campus from the Internet at large.

• Perimeter Firewall (NetID login, registered network managers only)

• Require your users to VPN
  Having your users VPN when working remotely not only encrypts their data as it traverses the network between their remote computer and the campus network, it also allows you to tighten down your firewall rules significantly. For example, instead of allowing SSH access from anywhere in the world, the firewall rules can allow just the campus VPN range while still allowing vacationing members of your department to connect. If requiring VPN'ing isn't an option in your environment, consider setting up a bastion host as a jump-off point before allowing connections to more sensitive systems.

• See what other services SecOps can offer
  For more information on network-based defenses which SecOps can offer departments, see:

• SecOps Services

• Have and enforce departmental security policies in addition to the University policies
  The University security policies apply to the entire campus, and needs to be very broad due to the variety of functions in different departments across campus. Depending on the function of your department, it may be highly advisable to have your own departmental security policies which can be much tighter and tailored to your business workflow. For instance, a business unit may wish to have a departmental security policy which can be much stricter than the University's overall security policies which applies not just to business units, but also to academic units and individual students.

• The Information Security Office has a collection of policies, standards, and guidelines regarding UA, State, and Federal guidelines
• SANS has a set of sample policies, which can be used as a baseline for departmental policies

• If all else fails, have a Disaster Recovery Plan
  Think about a worst case scenario, and have a Disaster Recovery Plan. Just as an example, consider how you'd go about business if 'server X' went down for a day, or if all data on 'server Y' was irrevocably lost. Make sure that any plan and mechanisms (such as backups) which you have in place is tested on a regular basis, and especially after major changes.

To top

Detecting a Compromise

 

If you detect a suspected compromise, disconnect your system from the network (both wired and wireless!), but do not reboot/turn off your computer unless instructed to do so. Note that under no conditions should you launch a 'counterhack' against the apparently offending host. Not only is 'counterhacking' illegal and opens you up to legal liabilities, it also will probably just be targeting another victim machine, since most attackers will use multiple hops between their own system and the target.

Certain service anomalies warrant immediate attention, such as any remote administration software (Dameware, VNC, etc) which shouldn't be there, if an IRC client (mIRC, etc) is installed/running when it shouldn't be, or if new admin accounts are appearing. Please report the incident if you find signs of compromise.

Lenny Zeltser has an excellent "Security Incident Survey Cheat Sheet for Server Administrators" which can serve as a checklist for items to look for in a generic potential incident situation:

• Security Incident Survey Cheat Sheet for Server Administrators

 

SANS has a good pair of cheatsheets for detecting general signs of compromise:

• SANS Compromise Detection Windows Cheatsheet
• SANS Compromise Detection Linux Cheatsheet

 

There are a number of security applications which can help with detecting rootkits, such as:

• Sysinternals RootKitRevealer (for Windows)
• Chkrootkit (for Linux)

To top

Other .edu references

• University of Pennsylvania Information Security Office
• U Penn Windows Desktop Checklist
• U Penn Web Application Security Guidelines
• U Penn Desktop Security 101
• MIT Information Security Office
• MIT Operating System Specific Recommendations
• MIT Backup FAQ
• MIT Compromise Recovery Guide
• University of Texas Information Security Office
• U Texas OS Specific Checklists
• U Texas Server Hardening Checklists
• Stanford University, Securing Computers
• Ohio State Information Security
• Indiana University ITSO

To top