|
|
|
 |
| |
7 Steps to
Securing Your Computer |
| |
|
Step 1. Keep your system patched and up to date |
|
New security bugs are discovered almost every day. In
order to keep your system secure it is critical that it
be kept up to date with recent patches and software
upgrades. Microsoft provides patches to fix these
security bugs, but expects you to download and install
these patches. By applying these patches regularly, you
have a much lower chances of getting a virus, trojan, or
worm as most of these exploit common known security
holes in unpatched systems. |
| |
How to do it:
There are two ways that SU students, faculty and staff
can keep their Windows 2000 or XP computers patched.
You may manually configure Windows Update to download
the patches from Microsoft's website:
-
Go to Start and select Control Panel.
-
Double-click on System.
-
Click on the Automatic Updates tab. Make sure that
the "Keep my computer up to date" box is checked. If
it is not checked, check it by clicking once on it.
-
Click on the "Automatically download the updates and
install them on the schedule that I specify"
selection. Select the frequency with which you want
the updates to be downloaded and installed. We
suggest daily.
-
Select the time at which you want the updates to be
downloaded and installed. This should be a time when
your computer is turned on and connected to the
Internet.
-
Click on the OK button.
|
| |
|
Step 2. Use Antivirus Software |
|
Most viruses will be caught by antivirus software as long as the
antivirus is kept up to date. It is absolutely
crucial that users run antivirus software on their
computers. With that in mind, SU offers all faculty &
staff with University-owned computers a copy of E-Trust
Antivirus. Students are highly encourage to
purchase their own antivirus software or download a free
copy of antivirus software. This software is highly
recommended for all users and is required for computers
living in Residential Housing. |
|
|
How to do it:
IMPORTANT NOTICE: Before installing any antivirus,
remove any other antivirus software from your computer.
This is important because having multiple antivirus
products on the same computer can cause serious
problems.
For Students: We are currently suggesting
Grisoft AVG Antivirus software for students without a
antivirus program. Go to the Security Download Page for
download.
For Faculty & Staff: If you
have installed the latest preconfigured version of E-Trust
on your machine, all the
settings should be correct and your E-Trust should
update hourly. To get the latest version of E-Trust,
please contact the TNS office.
We recommend that all users download the installation
documentation prior to installing any antivirus
software. |
| |
|
Step 3. Use Strong Passwords
(see
also Password Policy) |
| Password
enumeration attacks are becoming more common on Windows
workstations.
Recent increases in computer hacking and viruses
worldwide have caused many systems to become exploited.
Hackers often attempt to gain access to a computer by
guessing all possible combinations of passwords. Using a
modern PC, a hacker can normally break a simple password
remotely in less than 60 seconds. Once broken, your
password may allow someone to access your files.
Network Security
Services suggest these requirements to ensure a
good password:
The password should be at least 8 characters long
The password should contain at least one non-alpha
character (a number, period, space, comma etc)
The password should contain at least one uppercase and
one lowercase letter
Not begin with a number
Not be an alphabetic series, either forwards or
backwards (i.e., ABCDEF or FEDCBA)
Not be a numeric series, either forwards or backwards
(i.e., 123456 or 654321)
Not be a string of all identical letters or numbers
(i.e., AAAAAA or 111111)
Not be a common keyboard key sequences (i.e., ASDFG or
QWERTY)
Not be an easily guessed word such as your name,
userid, or any variation thereof (backwards, changing
case, etc.)
Not be a word(s) referring to anything noticeable
about you, such as the name of your spouse, child, pet,
favorite football team, or literary character
Not be a word that appears in a dictionary
|
| |
|
Examples: |
There are many ways to help you remember your
password. A common way is to make up a sentence
and use letters from it to build your password.
Dictionary words should be avoided as the most
common form of password cracking involves trying
common word combinations.
-
Best: iL2eAwPb! I like to eat apples with
peanut butter! (no dictionary words, all
cases and a special character)
-
OK: 88Ffchamps 1988 Final Four Champions
(good but uses a dictionary word)
-
Bad: Password01 (no complexity, uses a
dictionary word)
-
Terrible: 1234 or abcd or a BLANK
password
|
|
|
| |
|
Step 4. Share Files Correctly |
|
a. Peer to Peer |
There are applications for peer-to-peer (p2p)
file-sharing applications such as KaZaa, Gnutella,
BearShare, LimeWire and Morpheus, we do not ban them but
we do encourage users NOT to use them on the SU network. However, we recognize that most p2p
activity consists of copying copyrighted music and video files for
personal enjoyment. If you participate in this kind of
file-sharing activity, there are three things you should
know:
- Music file-sharing consumes a disproportionate
amount of network resources, which could lead to
your connection being limited to a slower connection
speed.
- Music and Video's are copyrighted. You must not
violate copyright laws. Unsure whether a shared file
is copyrighted or not? Assume that it is!
- File-sharing may put your personal computer data at
risk of getting spyware.
How to do it
Once again, the IT Security Office suggests that you do
not run these types of programs. If you feel you must
do so, please at least disable the uploading features.
Click
here for more information. |
| |
|
b. Windows File Sharing |
Be very careful with Windows file sharing. The default
options for all versions of Windows are insecure and
will let hackers into your computer unless they are
disabled or fixed! Your best bet is to disable file
sharing completely.
In order to use file sharing to access files from other
Windows computers, while preventing access from hackers,
you must enable shares that require accounts and
passwords. This is not the default setting on any
Windows version and can take a considerable amount of
work to set up. You also need to synchronize the account
names and passwords on both the 'server' Windows
computer and the 'client' Windows computer, which
requires a lot of work and is very time-consuming. Most
computer users should keep file sharing turned off. You
do not need to have Windows File and Print Sharing
enabled if you access a Novell file server.
Assuming that you do not need to share the files on your
computer with other computer users, you should
completely disable the sharing feature. You will still
be able to connect to servers, but no one (including
hackers) will be able to connect to your computer.
How to do it:
To disable 'File and Printer Sharing' in Windows 98/ME:
1. Right-click on the Network Neighborhood icon on
your desktop.
2. Select Properties from the pop-up menu.
3. Click the File and Print Sharing button.
4. If I want to be able to give others access to my
files is checked, you have enabled file sharing.
Uncheck it.
5. If I want to be able to allow others to print to
my printer is checked, you have enabled print
sharing. Uncheck it.
6. Click OK.
7. Insert your Windows CD if prompted.
8. Click OK.
9. Restart your computer.
10. File and print sharing is now off.
To disable 'File and Printer Sharing' in Windows XP:
1. Open Control Panels from the Start Menu.
2. Double-Click Network Connections (under Network and
Internet Connections in XP Category View).
3. Right-click on Local Area Connection and select
Properties. In the middle of the properties window,
you will see the list of networking components used
by this connection.
4. If File and Printer Sharing for Microsoft Networks
is listed, uncheck the item and click OK. This
change goes into effect immediately.
To disable 'File and Printer Sharing' in Windows
2000/NT:
1. Right-click on My Network Places on your desktop and
select Properties.
2. Right-click on Local Area Connection and select
Properties. Under Components checked are used by this
connection, look for File and Printer Sharing for
Microsoft Networks. If it is not listed, you are not
sharing.
If it is in the list.
3. Click in the check box next to File and Printer
Sharing for Microsoft Networks to unselect it.
4. Click OK.
Note: File and Printer Sharing will not be enabled
when you restart your computer. In order to
re-enable it, you must go back and click in the
check box next to File and Printer Sharing to select
it.
|
| |
|
Step 5. Minimize Network Services |
|
Windows in its various forms rank atop the list of the
most exploited and vulnerable systems. Windows 2000 and
XP both include many excellent tools for hardening, but
are often left unused because many administrators do not
know how to use them (or that they even exist!). By
turning off unnecessary services and hardening the rest,
you can close the largest and easiest way for an
intruder to access your system. The follow steps will
assist you in doing just this:
How to do it:
To disable this Messenger service on Windows 2000 or XP,
follow these steps:
Open the list of services running on your
computer.
1. Open Control Panels from the Start menu (under
Settings in Windows 2000).
2. Double-click on Administrative Tools (inside
Performance and Maintenance in Windows XP)
3. Double-click on Services.
Scroll down the list of services on the right
until you find Messenger.
1. Double-click Messenger; a Messenger Properties
window opens.
2. The General tab window should be selected.
3. Click the Stop button under Service Status if the
service is currently running.
In the center of the window, there is a Startup
Type drop-down menu. By default, the menu is set to
Automatic. Instead, Select Disabled so the service
will never start again.
1. Click the OK button in the Messenger Properties
window.
2. Close the Services window.
In Windows 95/98, use the Add/Remove programs
Control Panel to see if WinPopUp is installed; if
so, remove it. Windows 2000 and XP users should also disable the
built-in Remote Registry Service. This service can
allow hackers to modify your registry remotely.
To disable this Remote Registry Service on Windows 2000
or XP, follow these steps:
Open the list of services running on your
computer.
1. Open Control Panels from the Start menu (under
Settings in Windows 2000).
2. Double-click on Administrative Tools (inside
Performance and Maintenance in Windows XP)
3. Double-click on Services.
Scroll down the list of services on the right
until you find Remote Registry Service.
1. Double-click Remote Registry Service; a Remote
Registry Service Properties window opens.
2. The General tab window should be selected.
3. Click the Stop button under Service Status if the
service is currently running.
In the center of the window, there is a Startup
Type drop-down menu. By default, the menu is set to
Automatic. Instead, Select Disabled so the service
will never start again.
1. Click the OK button in the Remote Registry
Service Properties window.
2. Close the Services window.
|
| |
|
Step 6. Use some type of firewall |
A firewall is a piece of software or hardware that
creates a protective barrier between your computer and
potentially harmful content on the Internet. It helps
guard your computer against hackers and many computer
viruses and worms. The SU IT Security Office suggests
you install a firewall before connecting to the network.
How to do it:
You must have administrator access to your computer to
install either of these options.
Windows XP includes the Internet Connection Firewall,
which you can turn on:
1. Click on the Start button.
2. Select Settings then Network Connections.
3. Inside the Network Connections window,
right-click on one network connection.
4. Select Properties.
5. Select the Advanced tab and check the box about
protecting my computer.
6. Click OK and return to step 3 until all
connections have a firewall.
Additional detailed instructions
are at
Microsoft Security Page.
Hardware Firewalls
Hardware firewalls are a good choice for versions of the
Windows operating system prior to Windows XP. Most
home-networking hardware, like wireless access points
and broadband routers come with built-in hardware
firewalls. These help protect most home networks.
Hardware firewalls are available from several vendors,
including: ***Note SU does not endorse any specific Hardware Firewall.
Linksys
Netgear
Microsoft
Software Firewalls
Software firewalls are available from several vendors,
including:
***Note SU does not endorse any specific Software Firewall.
BlackICE PC Protection
McAfee Security
Symantec
Tiny Software: Tiny Personal Firewall
ZoneAlarm
This article, Checklist: Install a Firewall, from the
Microsoft Security Web site provides information about
software firewalls made by other companies, as well as
hardware firewalls and network routers. This information
can help you select a firewall solution if you use an
earlier version of Microsoft Windows, such as Windows
NT, Windows Millennium Edition (Me), or Windows 98.
|
| |
|
Step 7. Backup your important files |
Even if you follow all of these recommendations, it is
still possible that your computer could be compromised
by a hacker. In 'a worst case scenario', a hacker's
programs or virus will corrupt, infect, or erase your
computer files. Or your hard drive could simply fail,
causing the loss of all your data. Also it is becoming
more common that a computer that has been infected with
a virus may need to be formatted and have all of the
software reinstalled.
By backing up your files to a burnable CD, Floppy disk,
Zip disk, or a workgroup file server, you can save
yourself a lot of trouble if your computer gets a virus.
How to do it:
A computer backup involves placing a duplicate copy of
your data onto a secondary medium, such as floppy disks,
a recordable CD, or a workgroup file server. Then when
your hard drive fails or you accidentally delete a file,
you can rely on the backup to recover any files. The
most important elements to backup are documents like
essays, thesis and e-mail. You might also consider
backing up your operating system, software and settings
since reinstalling them can be a lengthy process. An
essential part of any computer security procedure is to
make regular backups of your essential files.
Probably the best back-up solution is a CD writer. This
is a CD-ROM drive that allows the creation or burning of
Compact Discs. It uses blank CDs that are either
CD-Recordable (or CD-R) or CD-Rewriteable (CD-RW). The
CD-R means the CD can only be burned only once, but
can't be erased, while CD-RW can be recorded and erased
and re-recorded. They are reusable up to 1000 times.
Most CD-R and CD-RW drives come with software that will
do data backups as well as audio CD creation. This
software is capable of backing up both the entire
computer system as well as single files. For most people
simply copying your important directories of files every
few days would provide substantial protection. However,
only you can determine how critical your data is and how
often you should back it up. Be sure to use at least two
sets of backup disks, rotate them, so you are always
overwriting the oldest.
If you do not own a CD-R or CD-RW you can still backup
your data using a Zip drive or even a floppy. If you do
not need to backup on a very frequent basis, you
probably don't need any special backup software, and can
instead use your file manager (Windows Explorer) to copy
files to a removable medium. (i.e., drag and drop your
files to a floppy or zip disk.).
Make sure that any backup files you may have are kept in
a safe and secure location such as a file server. In the
case of CD-RW and floppy disks we recommend a locked
file cabinet or safe. |
| |
|
|
|
