University of California, Riverside

Security



Workstations


Best Practices for Securing Workstations

  • Minimum Standards for Connecting to UCRs Network
  • The Anatomy of a Virus
    How it's contracted
    • Through e-mail attachments and P2P file-sharing networks
    • By opening an HTML e-mail
    • Physically transferred from an infected home machine by CD or disk
    • From infected commercial software, shareware, freeware, or data disks
    • From a user visiting malicious Web sites either intentionally or by misdirection
    How it spreads
    • Exploits software flaws
    • Uses bugs in common protocols such as SSL
    • Exploits weaknesses in TCP/IP
    • Understands human behavior
    • Actively scans systems connected to the Net, looking for and exploiting known vulnerabilities
    What a virus is

    A virus is a program that automates an attack on a PC or network. It typically has malicious intent, ranging from disrupting access to computing power and stealing data to using your computer to attack other computers.

    Virus components
    • Replication and concealment
    • Payload such as a trap door or code designed to cause damage to the infected system
    • Accessory code such as e-mail and encryption engines needed to run the payload, and extraneous code only intended to make the file larger and more difficult to analyze
    Immediate remedy

    For worms that keep shutting down the system too quickly for you to repair it, Microsoft recommends that you first try running shutdown -a from the command prompt. This is much faster than the five steps below and will also abort the shutdown process, but it might work only on XP systems. Here are the first five steps toward detection and removal of the specific malware:

    1. Disconnect from the Internet.
    2. Reboot.
    3. Click on Start | Run and enter cmd to open the command line interface.
    4. At the DOS prompt, type shutdown -i and enter the name of your computer.
    5. Modify the warning-message delay setting from the standard 20 seconds to a large number such as 9999.
  • Workstation Protection

    Today's desktop workstations must be configured and used in a secure manner, for two reasons. First, it is likely that some information housed on that computer is of a sensitive, confidential, or proprietary nature. Therefore, only authorized individuals should have access.

    Second, the integrity of the system (operating system, application programs, and data files) is critical. Liability may be incurred if information is not protected using generally accepted protection methods ("due diligence"), and that information is improperly disclosed. Applications must operate as expected, when expected, and the data they use must be complete and correct. Otherwise, a loss in productivity may occur, bad decisions made, or reports may contain false information. The following guidelines will maximize the workstation's security.

    1. The workstation should have a screen saver activated that is password protected. The interval for activation should be between 3-5 minutes. This will provide adequate insurance against the walk-by use of workstations that are "up" (operating). Anyone with system administrator authority (i.e., a high security clearance) is strongly urged to comply with the lower end of this interval range. Most general users are comfortable with a 5-minute screen saver interval.
    2. Do not allow file sharing ("shares") on machines without securing them to authorized users only. Make certain object, device, and file access controls are appropriate.
    3. Install virus protection software on the workstation, keeping the virus definitions and software updated on a regular basis. Updates for new viruses are generally made available every week. (Virus software can be configured to be automatically updated.) Configure the virus software properly, so that it actively scans all incoming objects for virus infections.
    4. Do not allow anonymous access of any kind (e.g., FTP, dial-up) to the workstation. Public read-only data should be shared from a server location. FTP and dial-up access to a workstation must be protected with user authentication. If others are allowed to access the workstation, employ system and network logging mechanisms to track their use.
    5. Ensure adequate backups of files are performed regularly. Copy them to a secure server location or make floppy disk or zip drive backups storing them in a secure location. In general, it is not necessary to backup the operating system files more than once after installation/modification. Many work areas have a single CD image for all workstations that can be used to restore a damaged system. (If this type of image is available, a backup the system files is not needed.) However, be aware that a restore of this nature will erase personal data files and custom configuration files on the workstation. Pay particular attention to making backups of all data files and custom configuration files on a regular basis.
    6. Keep the operating system and application software up to date. Updates are available from vendors on a regular basis.
    7. Always power off workstations when not in use (e.g., overnight).
    8. Routinely change application passwords. The industry standard interval for password changes is 60-90 days. Depending on the environment and data security requirements, it may make sense to use a 30-day password interval. (System Administrators, in all cases, should use one-time passwords; or if static passwords are used, a 30-day maximum password interval.)
    9. If it is believed office keys have been lost, misplaced, or stolen, recommend to the immediate supervisor, department head, or advisor that doors be re-keyed by Facilities Services.
    10. Delete all un-sanctioned programs and directories from the workstation. These programs can be clever keystroke-capturing programs (a program that records everything typed into the machine's keyboard), network sniffer programs (a program that captures information transmitted on a network), or viruses (programs that damage files). Be familiar with what programs and files are on the workstation, so anomalies can be recognized.
    11. Never execute a program (".exe" file) if what it is/does is unknown or the source is untrusted. This is particularly the case for files that are sent via e-mail, or are downloaded from a web site that is not trusted.
    12. Secure workstations by physically locking offices that are publicly accessible when they are not occupied. Similarly, some workstations can be key-locked to protect the power-on switch and drives. These keys should be used for after-hours workstation protection.
    13. Employ a BIOS (hardware level) boot password on your machine. This can be set through the hardware setup utilities. Once defined, the machine will then require that password (which is not transmitted on any network) before the machine will boot. Newer Intel-based machines will support bios boot passwords. This control is especially important if the workstation sits in a common area.
    14. Turn off all network services that are not needed or intended for use.
    15. Investigate workstation/drives on a regular basis, to look for suspicious files. Use a naming convention for files and directories. Be sure to look for hidden files and directories.
    16. Consider employing a file encryption program if the information stored on the workstation is highly confidential. Similarly, consider a mail program that supports encryption (S/MIME or PGP) if sending highly confidential information in messages.
  • 10 Tips to Secure A Workstation
  • Protecting the Home Computer

    The following guidelines are designed to help you protect your home computer, personal information, and privacy. Today's high-speed and always connected (e.g., cable or DSL modem) home workstations are quite vulnerable to Internet attacks. In addition to the value of personal information stored on them, or accessible from them, home computers can provide links into other systems if they're not properly secured and managed. Consider the following:

    1. Keep software programs and operating system regularly updated. Vendors provide web sites where download software updates are available - install them. The older the software, the more likely security vulnerabilities have been found and exploited by hackers.
    2. Install and RUN an anti-virus software program. University faculty/staff and students are covered to install the site-licensed anti-virus software on their home machines.
    3. If file and print sharing is enabled, allow access only to authorized users. Review these options in the network settings in the control panel. If the computer is always-on, disable file and print sharing.
    4. Never give out a password, account number, or other sensitive personal information (name, address, phone), or Internet Address or machine name, out in an e-mail message, newsgroup posting, or in a chat session. This information can easily be intercepted, forwarded, or redirected without anyone's knowledge. Anybody can listen in a chat room or reading newsgroup postings.
    5. Never give away sensitive or private personal information on a web page without trusting the company hosting the site. Build trust by reviewing the company's privacy and security policies on their web site, and by insisting on a secure connection (look for the closed lock or a key in the lower corner of your browser window). Know what their policies are regarding reuse, sharing or selling personal information.
    6. Ensure adequate backups of data files. Copy them to a CD, a tape, a floppy, or to a zip drive backup, and store them in a secure location. Pay particular attention to making backups of personal data files and custom configuration files on a regular basis.
    7. Never execute a program (e.g., an ".exe" file) if what it is/does is unknown, or if the source is untrusted. This is particularly the case for file attachments that are sent via e-mail, or are downloaded from a web site that is untrusted.
    8. Turn off all network services (programs) that are not needed or intended for use. Be familiar with the services configured in the control panel.
    9. Investigate workstation configuration and disk drives on a regular basis looking for suspicious files, programs, or drastic changes in free space on disk. Organize files and directory structure so changes can easily be recognized.
    10. Consider employing a file encryption program if the information stored on the workstation is highly confidential (e.g., tax files, brokerage or mutual fund accounts/files, bank files, credit card accounts). Other options are to keep sensitive files in a nondescript or hidden location, or on a portable storage device (e.g, a floppy, CD, tape or zip disk).
    11. Consider clearing the web browser's cache storage file after visiting web sites where you entered sensitive information, such as a credit card number, or a bank or brokerage account and password, as this information is often stored in your browser too. (Do you select "remember this password?" for ease of use in your browser?) If your machine is broken into, account information in the cache files could be used for fraudulent activity or identity theft.
    12. Consider installing personal firewall software on the home workstation. A firewall is software that can be configured to allow access the Internet (out) while blocking Internet access to the workstation (in).
    13. Protect against power surges with a surge protector, and against power loss with a UPS (uninterruptible power supply).

    For more information, Microsoft has developed an Internet privacy and security web site with FAQ's and a security checklist for home computer users at http://www.microsoft.com/protect/ and a web site designed especially for parents and children at http://www.staysafeonline.org/content/protect-your-children.

  • Disabling Java, JavaScript, and ActiveX

    Be aware of the risks involved in the use of "mobile code" such as ActiveX, Java, and JavaScript. A malicious web developer may attach a script to something sent to a web site, such as a URL, an element in a form, or a database inquiry. Later, when the web site responds, the malicious script is transferred to the browser.

    The most significant impact of this vulnerability can be avoided by disabling all scripting languages. Turning off these options will keep you from being vulnerable to malicious scripts. However, it will limit the interaction you can have with some web sites.

    Many legitimate sites use scripts running within the browser to add useful features. Disabling scripting may degrade the functionality of these sites. Another option would be to setup the browser to prompt for permission to run scripts.

    Detailed instructions for disabling browser scripting languages are available in http://www.cert.org/tech_tips/securing_browser/

    More information on ActiveX security, including recommendations for users who administer their own computers, is available in http://www.cert.org/archive/pdf/activeX_report.pdf

    More information regarding the risks posed by malicious code in web links can be found in CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests.

    Disable scripting features in email programs

    Because many email programs use the same code as web browsers to display HTML, vulnerabilities that affect ActiveX, Java, and JavaScript are often applicable to email as well as web pages. Therefore, in addition to disabling scripting features in web browsers, it is suggested users also disable or prompt to grant permission to use these features in email programs.

    (from http://www.cert.org/tech_tips/home_networks.html#IV-A-9)

More Information 

General Campus Information

University of California, Riverside
900 University Ave.
Riverside, CA 92521
Tel: (951) 827-1012

Department Information

Computing & Communications
Computing & Communications Bldg.

Tel: (951) 827-4741
Fax: (951) 827-4541
E-mail: helpdesk@ucr.edu

Footer