Computer Security Practices in Shared Environments and with UO Computers
Best Computer Security Practices in Shared Environments and with UO Computers
Poor computer security practices on UO computers or in shared computing
environments can lead to illegal or inappropriate use of UO computing
resources, loss or release of sensitive personal information, or legal
suits.
To increase security, use best computer security practices. Best
practices may be broken down into System Admin Practices, User Practices,
and Physical Practices.
System Admin Practices:
-
One user, one account: One account for each user of a shared
computer provides accountability. It is harder to track down the origin
of a security problem with a computer account used by many
people.
-
Limit the number of administrative accounts:
Limiting
administrative accounts on a shared computer reduces the possibility of
unauthorized administrative access. It also lowers the probability that
authorized users will accidentally put the computer into a less secure
state.
- Delete old user accounts:
When personnel leave a lab,
their
computer accounts should be removed from a shared computer. Doing so
reduces the possibility of the old account being misused.
- Regular (monthly) system and software updates:
Installing
updated system and application software (when compatibility issues are not
a problem) closes security holes.
- Require password to wake machines from sleep mode:
Requiring a
password to wake a computer increases user accountability.
- Configure sleep mode to start after 5 minutes' inactivity:
Placing a computer in sleep mode coupled with a password to wake it
decreases the chances of sensitive data release or computer misuse.
- Firewall unneeded network services to reduce exposure to
network
attacks: The UO network is regularly scanned from within and without
by
people looking for unsecured computers. Closing unneeded communication
ports by using firewalls on a computer reduces network-scanning risk.
- Regular (monthly, quarterly) password changes, especially on
multi-user accounts: Changing passwords regularly prevents former
personnel from accessing machines. It also reduces the usefulness of
accidentally discovered passwords.
User Practices:
-
Review the UO
Acceptable Use of
Computing Resources Policy and its addendum. Remember, as
Oregon state employees using state-owned computer resources to conduct the
state's business, what we do is a
matter of the state's public record. Make responsible choices.
- Use strong
passwords: Strong passwords, ones that are not
words
and have numbers and symbols in them, are less likely to fail to a
dictionary password scan. Password strategies may be found here:
- Conceal passwords:
Ideally, passwords should not be written
down; but when they are, they shouldn't
be on a yellow post-it or
whiteboard next to the computer.
- Log out of the computer when finished:
The machine will
run
more quickly if only one user is logged in at a time. As far as the
computer, security, and network records are concerned, there's no
distinction made between a user and their username.
- Don't share
computer passwords:
Private passwords
increase
user accountability.
- Turn off the computer when finished:
If the computer is going
to be unused for a night or a weekend, turning it off increases security
by making the machine unavailable for network scans or certain RAM
password exploits.
- Create folders for shared data:
Using file system
permissions
to allow other computer users to read and write to a shared folder and reduces
the need for sharing passwords and accounts.
- Consider the use of \\cas-fs1\
as alternative to file sharing services such as DropBox or GoogleDocs:
-- The advantage of \\cas-fs1\ is that it
is secure. It can handle greater amounts of data, the connection is secure,
access permission control is very precise, and the data servers are physically located on campus.
-
Be aware of when personal private data is being used
: When collecting grades, contact information, or other data on people, take care to protect
private data and take steps to keep it private. A US government issued
PDF on
private data and HIPAA may be found at
http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf. The UO has additional forms at
http://humansubjects.uoregon.edu/HIPAA.instructions.cfm..
- Review the Oregon University System's policy on data
security.
Physical Practices:
-
Review physical security practices:
Locks don't work if the
door's propped open; keys don't keep
labs secure if they're hanging in
plain view on a peg.
- Only connect authorized hardware to computers:
Portable storage devices are a source of security risk: for example, some
security exploits (Stuxnet) are run from USB flash drives or thumb drives. We're in an
age where thumb drives,
especially unprovenanced ones,
should be treated as malicious attack vectors.
Ideally, data should be available via the
network or a shared folder.
- Prohibit computer and lab access to friends, family members,
roommates, etc.:
If associates of lab personnel don't have
access to
lab computers, they can't compromise them.
John Burridge, Web Communications Technician ⚣ he/him/his
University of Oregon, Robert D. Clark Honors College
M-F: 8AM-Noon, 1PM-3PM burridge@uoregon.edu http://pages.uoregon.edu/burridge