ARCHIVED: At IU, how can I secure my on-campus computer?

Always-connected workstations with high-speed network access (e.g., Ethernet connections) are very attractive targets for attacks over the Internet. At risk is not only the owner's personal information and data, but the security of the entire system, as a break-in can provide an attacker with an access point from which to launch further attacks on the network. For these reasons, owners of computers connected to the IU network must take precautions to protect their computers from external threats. The Information Technology Security Office (ITSO) recommends following the guidelines below, designed to help you protect your computer system while on the IU campuses. Since DSL and cable modem connections are also persistent connections, you may want to review If I use a cable modem or DSL, how do I keep my computer secure?

On this page:

• Operating systems
• Antivirus protection
• Authentication
• Passphrases
• Using non-administrative accounts
• Locking your computer
• Software updates and alerts
• Restricting remote access
• File sharing applications
• Wireless access points
• Other security tips
• Related information

Operating systems

The first step to securing your computer is to use a secure operating system. Windows 95, 98, and Me are not secure operating systems when connected to the Internet. If you are using Windows 95, 98, or Me, UITS encourages you to switch to Windows XP. For more information about operating systems that UITS supports, see ComputerGuide: Recommendations and common questions.

If you use Windows 2000 or XP, format your hard drive to use NTFS as your file system. This provides a more secure and stable file structure then FAT or FAT32.

Once you have installed your operating system, you need to make sure that it is updated to protect against any security-related vulnerabilities found since the operating system was first distributed. You will also need to maintain it over time as new patches and service packs are deployed. For more information on proper maintenance, see the Software updates and alerts section below.

If you use Windows, you should make use of the security tools available free from Microsoft. You can download and install Microsoft Baseline Security Analyzer (MBSA) to determine missing hotfixes and the security level of your computer.

Antivirus protection

Note: The University Information Security Office (UISO) recommends that you run the latest version of Symantec/Norton AntiVirus software (available to IU students, faculty, and staff for free via IUware) for your operating system, being sure to upgrade safely (see In Windows, how do I safely upgrade to the latest Symantec Endpoint or AntiVirus software?), and that you update your virus definitions daily and scan your computer weekly. For instructions, see:

• Windows: In Symantec/Norton AntiVirus for Windows, how do I schedule automatic LiveUpdates and virus scans?
• Mac OS and OS X: In Norton AntiVirus for Mac OS or Mac OS X, how do I schedule automatic LiveUpdates and virus scans?

Also, visit the How to protect against viruses page maintained by ITSO.

Authentication

If you live on the IU campus, you should join your Windows computer to IU's ADS Domain and authenticate using your IU Network ID username and passphrase. Using the Get Connected software will automatically set up your computer correctly. For more information on joining the ADS Domain, see At Indiana University, what is my Active Directory Services (ADS) Domain account?

Passphrases

• Never share your Network ID passphrase with anyone. This includes friends, roommates, family, and IU technology support staff.
  
  
• Do not write down your passphrases.
  
  
• Change your Network ID passphrase frequently using the Passphrase Maintenance utility. Select a strong passphrase that you can remember easily. For more information on selecting good passphrases, see Passwords and passphrases.
  
  
• If your computer has been compromised (i.e., has been the target of any unauthorized access), make sure you change the administrative password. If your computer has had a system-level compromise (i.e., has been infected with a worm or has been otherwise exploited on the system level), you will have to rebuild your computer. For help changing the administrative password in Windows 2000 and XP, see ARCHIVED: In Windows 2000 and XP, how do I set or change the administrator password? For information about recovering from a system-level compromise, see In Windows, how do I safely rebuild my computer after a system-level compromise?

Using non-administrative accounts

Using your computer with full administrative rights can be dangerous, allowing viruses and other attacks to more easily compromise it. ITSO suggests following the principle of least privilege: You should perform day-to-day work as a non-privileged user and only use privileged accounts (administrative rights) for tasks that require additional capabilities. For more, see What is the principle of least privilege?

Locking your computer

When you leave your computer, even for a few minutes, lock it, using either the built-in locking capability of your operating system, or a password-protected screen saver. For instructions, see In Windows, how do I lock my workstation without logging off?

Software updates and alerts

There are a number of methods for keeping your software up to date. Most software vendors provide web sites where you can download the latest updates for your software. If you use Windows, you should set up your computer to use Windows Automatic Update. For more information about this feature, see For Windows, how can I get software updates and patches?

• Service packs are collections of bug fixes, security enhancements, and new features for Windows. Service packs add necessary security features, and keeping up to date with service packs is a good way to protect your computer from security risks. You can find a comprehensive listing of Microsoft product service packs at: http://support.microsoft.com/default.aspx?scid=fh;EN-US;sp
• If you use Microsoft Office, you can get Office updates at the Microsoft Office Product Update site at: http://office.microsoft.com/en-us/downloads/default.aspx
• By subscribing to vendor alert notification services you will be notified when new hotfixes or patches are available:
  
  
  • You can subscribe to Microsoft's alert service at the Product Security Notification page.
  • You can subscribe to Apple alerts at the "Apple Mailing Lists" page for the security-announce mailing list.
  • You can get alerts for most Linux distributions by registering for security alert mailing lists. Check the web page for the appropriate Linux distribution for details.

Restricting remote access

• File and print sharing: The Information Technology Security Office (ITSO) recommends that you disable file and print sharing. In rare exceptions when you may need to share a resource with others, you should format your drive using NTFS and correctly set the file and directory permissions.
  
  
• Open shares: With Windows 2000 and XP, new folders are created by default with access granted to the "everyone" group. If you do have file sharing enabled on your computer, be careful to set permissions correctly when creating new folders so that you don't inadvertently leave them open to everyone on the network.

File sharing applications

It is illegal to share any copyrighted media files if you do not have appropriate permission to distribute the files. Check the options you have set in file-sharing programs like Morpheus, KaZaA, iMesh, or eDonkey2000. For details on specific programs, see the University of Chicago's "Disabling Peer to Peer File Sharing" page at: http://security.uchicago.edu/guidelines/peer-to-peer/

Wireless access points

Due to a number of security issues with wireless access points (WAPs), it is against university policy for users to install these devices on the university network. For more information, see At IU, may I add a wireless access point to my campus housing residence, classroom, or office?

Other security tips

• Never give out personal information (e.g., your student identification number, passphrase, or PIN) in email or on an insecure web page.
  
  
• Back up your data to a flash drive, floppy disk, Zip disk, or CD-R and store it in a secure location.
  
  
• Never execute files received as email attachments or downloaded from an unknown source.
  
  
• Clear your browser's cache regularly, to flush any stored personal information. For instructions, see How do I clear my web browser's cache?
  
  
• Keep your chat room and instant messaging profiles blank and never provide personal contact information to others. Never click suspicious links; for more information, see If I use instant messaging software, how can I keep my computer secure?
  
  
• If you think your computer or your account has been compromised, contact your campus Support Center; see How do I contact my campus Support Center, and what are the hours and options for help?
  
  
• If you have a security-related question or incident, you can email ITSO at  itso@iu.edu .
  
  
• For the latest security information, visit the ITSO home page at: http://itso.iu.edu/

Related information

• For information on securing your home network, visit the CERT Coordination Center's "Home Network Security" page at: http://www.cert.org/tech_tips/home_networks.html
• For detailed instructions on more advanced security measures, see the ITSO's "Howto" page at: http://itso.iu.edu/Articles_and_Guides/

Also see:

• In file sharing software, how can I disable outbound file sharing?
• In Windows 2000 and XP, what is the Secondary Logon service?
• In Windows, how do I safely rebuild my computer after a system-level compromise?