• English
• John Burridge
• Announcements
• Ethernet Help
• Xerox Notes
• Useful Links
• Force SMB1
• English Map
• UO Home

---

• Psychology
• MATLAB Help
• Security Practices
• SPSS Help

Computer Security Practices in Shared Environments and with UO Computers

Best Computer Security Practices in Shared Environments and with UO Computers

Poor computer security practices on UO computers or in shared computing environments can lead to illegal or inappropriate use of UO computing resources, loss or release of sensitive personal information, or legal suits.

To increase security, use best computer security practices. Best practices may be broken down into System Admin Practices, User Practices, and Physical Practices.

System Admin Practices:

• One user, one account: One account for each user of a shared computer provides accountability. It is harder to track down the origin of a security problem with a computer account used by many people.
• Limit the number of administrative accounts: Limiting administrative accounts on a shared computer reduces the possibility of unauthorized administrative access. It also lowers the probability that authorized users will accidentally put the computer into a less secure state.
• Delete old user accounts: When personnel leave a lab, their computer accounts should be removed from a shared computer. Doing so reduces the possibility of the old account being misused.
• Regular (monthly) system and software updates: Installing updated system and application software (when compatibility issues are not a problem) closes security holes.
• Require password to wake machines from sleep mode: Requiring a password to wake a computer increases user accountability.
• Configure sleep mode to start after 5 minutes' inactivity: Placing a computer in sleep mode coupled with a password to wake it decreases the chances of sensitive data release or computer misuse.
• Firewall unneeded network services to reduce exposure to network attacks: The UO network is regularly scanned from within and without by people looking for unsecured computers. Closing unneeded communication ports by using firewalls on a computer reduces network-scanning risk.
• Regular (monthly, quarterly) password changes, especially on multi-user accounts: Changing passwords regularly prevents former personnel from accessing machines. It also reduces the usefulness of accidentally discovered passwords.

User Practices:

• Review the UO Acceptable Use of Computing Resources Policy and its addendum. Remember, as Oregon state employees using state-owned computer resources to conduct the state's business, what we do is a matter of the state's public record. Make responsible choices.
• Use strong passwords: Strong passwords, ones that are not words and have numbers and symbols in them, are less likely to fail to a dictionary password scan. Password strategies may be found here:
  • While "correct horse battery staple" is attractive, it's easily broken by hackers using lists of words -- so the difficulty to guess is not as hard as this xkcd comic on password strength would have you believe: http://xkcd.com/936/
  • 25 Worst Passwords of 2011
  • 500 Bad Passwords
  • More Bad Passwords
  • Even More Insecure Passwords
• Conceal passwords: Ideally, passwords should not be written down; but when they are, they shouldn't be on a yellow post-it or whiteboard next to the computer.
• Log out of the computer when finished: The machine will run more quickly if only one user is logged in at a time. As far as the computer, security, and network records are concerned, there's no distinction made between a user and their username.
• Don't share computer passwords: Private passwords increase user accountability.
• Turn off the computer when finished: If the computer is going to be unused for a night or a weekend, turning it off increases security by making the machine unavailable for network scans or certain RAM password exploits.
• Create folders for shared data: Using file system permissions to allow other computer users to read and write to a shared folder and reduces the need for sharing passwords and accounts.
• Consider the use of \\cas-fs1\ as alternative to file sharing services such as DropBox or GoogleDocs: -- The advantage of \\cas-fs1\ is that it is secure. It can handle greater amounts of data, the connection is secure, access permission control is very precise, and the data servers are physically located on campus.
• Be aware of when personal private data is being used : When collecting grades, contact information, or other data on people, take care to protect private data and take steps to keep it private. A US government issued PDF on private data and HIPAA may be found at http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf. The UO has additional forms at http://humansubjects.uoregon.edu/HIPAA.instructions.cfm..
• Review the Oregon University System's policy on data security.

Physical Practices:

• Review physical security practices: Locks don't work if the door's propped open; keys don't keep labs secure if they're hanging in plain view on a peg.
• Only connect authorized hardware to computers: Portable storage devices are a source of security risk: for example, some security exploits (Stuxnet) are run from USB flash drives or thumb drives. We're in an age where thumb drives, especially unprovenanced ones, should be treated as malicious attack vectors. Ideally, data should be available via the network or a shared folder.
• Prohibit computer and lab access to friends, family members, roommates, etc.: If associates of lab personnel don't have access to lab computers, they can't compromise them.

John Burridge, Web Communications Technician ⚣ he/him/his
University of Oregon, Robert D. Clark Honors College
M-F: 8AM-Noon, 1PM-3PM     burridge@uoregon.edu     http://pages.uoregon.edu/burridge