SAS Computing has developed a set of policies and common practices designed to maximize the security of desktop machines. The security of desktop computers is more of an issue than ever before, given the power and network-based services available on current desktop machines, the importance of protecting data stored on those systems and on the servers to which they connect, and the continual attempts to break in to such machines via the Internet.
This document seeks to explain the minimum security settings recommended by SAS Computing. As always, the aim is to keep systems as secure as possible without unduly inconveniencing the users of those systems. For more details regarding specific issues or situations, please consult with your local support provider. For information on the Univerity Information Security Office's policies and best practices, please see here.
The Importance of Adequate Desktop Security
Desktop security is not just a matter of protecting your own machine and the data on it. When a machine is compromised, one of the most common outcomes is that it is used to launch attempts to break in to, or disrupt service on, other systems located at Penn or anywhere on the Internet. Given the automated tools currently available to find machines that can be compromised and then exploit them, this is a serious concern.
If a machine is found to have been compromised such that it has or could become the source of attacks on others, Penn's Information Security Office will require that the machine be taken off the network, in accord with the procedures outlined in the Policy on Computer Disconnection from PennNet. In addition, many desktop computers may be subject to the terms of Penn's Critical Host Security Policy and thus must be maintained with adequate security precautions in order to comply with this policy.
The lack of adequate security of machines within many educational institutions, the risks that this poses for other Internet-connected sites, and the potential liabilities for the schools themselves, has been receiving some attention lately, such as an article on the CNN web site. Various groups are working to try to address these issues, including EDUCAUSE and SANS.
General Desktop Security Guidelines
The following general guidelines are relevant for all users, no matter what operating system is being used:
- Maintain up to date and properly configured anti-virus software. Windows machines which are on campus should generally use Symantec in Managed Mode. For others, see ISC's Virus Information. Be sure that real-time protection scans all files.
- Don't open any e-mail attachments unless you know the sender AND know that it was intentionally sent to you.
- Use complex passwords. Never write down your passwords or share them with anyone else. SASC staff will never request your password.
- If you share any files from your machine (not recommended in most cases), be certain that access is protected with a complex password.
- Keep back up copies of any important documents. Contact your LSP for information about data backup systems.
- Periodically check web site of the OS vendor (e.g. Microsoft or Apple) for critical security updates that may need to be applied.
- Penn insurance regulations for Property Insurance and Claims require that computing equipment be properly secured if it is to be covered for property loss.
Polices and Recommendations for Specific Operating Systems
Windows XP, 7, & 8 Desktop Systems
These versions of Windows provide much more advanced security than previous versions, but only if the machines are configured with appropriate security settings, administered adequately, and kept up to date with operating system patches. SASC Computing recommends the following security settings for such machines:
- Local access must be controlled via individual, password protected accounts for each user of the machine, i.e. no shared accounts, no auto-logon enabled.
- Local password policies must meet or exceed those required for SASC Windows networking domain accounts (see below).
- Password protected screen saver should be set to activate after 15 minutes of idle time (for minimal protection against unauthorized use after user login).
- File and printer sharing should only be enabled after consulting with local support provider.
- For everyday use, a non-administratively enabled account should be used, to minimize possible destructive impact of viruses/worms/Trojan horses etc. which run in the user's context.
- End users should typically not have administrative access to the machine, when they do, it should be through a secondary account not used day to day.
- Local Administrator account will be renamed and set to have a very lengthy (15-20 characters), complex password.
- Guest account will be disabled and have lengthy, complex password set.
- User/Account logon/logoff events will be logged to the Security log.
- Only NTFS partitions will be used, with appropriately secure access permissions set
- Internet Information Server should not be installed.
- Other unneeded network services should be disabled.
Windows Networking Domain Accounts
A good password policy is a central component of any security plan. If short, simple, or otherwise weak passwords are used, it increases the risk that a brute force attack can be used to break into an account, either via cracking a password "sniffed" over the network or by repeated attempts to guess the password. Windows passwords are encrypted as they are sent over the network, but strong password must still be used to protect system security. SAS Computing will require the following password and account policies on any domain administered by SAS Computing staff.
- Minimum password length of 8 characters.
- Complex password required.
- Password expires once a year.
- Password history of three previous passwords is maintained and reuse of any password within the history is disallowed.
- Password can be changed no more frequently than once a day.
- After 5 bad logon attempts within 30 minutes, account will be locked out for 30 minutes (to slow down any network based attempts to gain access to accounts via brute force guessing).
Administrative Access to Windows XP, 7, & 8 Machines
Standard security recommendations include a policy of not using a machine day to day while logged in as a user with administrative privileges. In addition to protecting against the consequences of the sort of simple mistakes that anyone can make, running as a user without advanced rights is a very good protection against the damage that viruses/worms/Trojan horses (AKA "malware") can otherwise bring about on a system. If such "malware" is encountered (via an e-mail attachment, file download, or web page) and executed, the effects will generally be minimized if it is executed within the context of a non-privileged account, because it may not be able to install itself or delete as many files as it could if it were executed within the context of an administrative account. For these reasons, SAS Computing recommends that an administrative account never be used for day to day activities.
The inconvenience of a lack of administrative access to the machine can be minimized, if needed, via use of an alternative, administratively enabled, account when such access is required, or via use of a "Power User" account. The best approach which adequately maintains the security of the system, without unduly inconveniencing the user, should be determined in consultation with the local support provider.
As noted above, a good password policy is the foundation for machine and network security. Here are some suggestions for selecting a complex password:
- Password should be at least 8-10 characters in length.
- Password should include at least one character from 3 of the following 4 classes: lowercase letters, uppercase letters, numbers, punctuation/special characters (e.g. $, %, &, etc.) within the first 8 characters of the password.
- Password should not contain any words found in the dictionary, or any part of the your full name or account name, or other personal data such as date of birth, license plate number etc.
- Don't use the same password for all systems, in particular don't use the same password with a connection method (e.g. non-secure web pages, telnet) that does not encrypt passwords as with one that does encrypt passwords (Windows networking, SSH).
To develop such an adequately complex password that will not be hard to remember, you may want to use the method of thinking of an easy to remember phrase or song lyric and base the password on the first character of each word, then mix case, and substitute a number or special character for some of the letters. For example,
It is good to change your password every 6 months = Iig2cyPe6m
To yield a complex password, think of a memorable phrase = 2yaCP,toamp
Of course, you should not these examples for your own password = 0c,UsnUte4yoP