This document seeks to explain the minimum security settings recommended by SAS Computing. As always, the aim is to keep systems as secure as possible without unduly inconveniencing the users of those systems.
For more details regarding specific issues or situations, please consult with your local support provider.
For information on the Univerity Information Security Office's policies and best practices, please see here.
The Importance of Adequate Desktop Security
Desktop security is not just a matter of protecting your own machine and the data on it. When a machine is compromised, one of the most common outcomes is that it is used to launch attempts to break in to, or disrupt service on, other systems located at Penn or anywhere on the Internet. Given the automated tools currently available to find machines that can be compromised and then exploit them, this is a serious concern.
If a machine is found to have been compromised such that it has or could become the source of attacks on others, Penn's Information Security Office will require that the machine be taken off the network, in accord with the procedures outlined in the Policy on Computer Disconnection from PennNet. In addition, many desktop computers may be subject to the terms of Penn's Computer Security Policy and thus must be maintained with adequate security precautions in order to comply with this policy.
The lack of adequate security of machines within many educational institutions, the risks that this poses for other Internet-connected sites, and the potential liabilities for the schools themselves, has been receiving some attention lately, such as an article on the CNN web site. Various groups are working to try to address these issues, including EDUCAUSE and SANS.
General Desktop Security Guidelines
The following general guidelines are relevant for all users, no matter what operating system is being used:
- Maintain up to date and properly configured anti-virus software. Penn owned machines on campus have Crowdstrike installed by their LSPs. For others, see ISC's Virus Information.
- Don't open any e-mail attachments unless you know the sender AND know that it was intentionally sent to you.
- Use complex passwords. Never write down your passwords or share them with anyone else. SASC staff will never request your password.
- If you share any files from your machine (not recommended in most cases), be certain that access is protected with a complex password.
- Keep back up copies of any important documents. Contact your LSP for information about data backup systems.
- Periodically check web site of the OS vendor (e.g. Microsoft or Apple) for critical security updates that may need to be applied.
- Penn insurance regulations for Property Insurance and Claims require that computing equipment be properly secured if it is to be covered for property loss.
Windows Networking Domain Accounts
A good password policy is a central component of any security plan. If short, simple, or otherwise weak passwords are used, it increases the risk that a brute force attack can be used to break into an account, either via cracking a password "sniffed" over the network or by repeated attempts to guess the password. Windows passwords are encrypted as they are sent over the network, but strong password must still be used to protect system security. SAS Computing will require the following password and account policies on any domain administered by SAS Computing staff.
- Minimum password length of 8 characters.
- Complex password required.
- Password expires once a year.
- Password history of three previous passwords is maintained and reuse of any password within the history is disallowed.
- Password can be changed no more frequently than once a day.
- After 5 bad logon attempts within 30 minutes, account will be locked out for 30 minutes (to slow down any network based attempts to gain access to accounts via brute force guessing).
As noted above, a good password policy is the foundation for machine and network security. Here are some suggestions for selecting a complex password:
- Password should be at least 8-10 characters in length.
- Password should include at least one character from 3 of the following 4 classes: lowercase letters, uppercase letters, numbers, punctuation/special characters (e.g. $, %, &, etc.) within the first 8 characters of the password.
- Password should not contain any words found in the dictionary, or any part of the your full name or account name, or other personal data such as date of birth, license plate number etc.
- Don't use the same password for all systems, in particular don't use the same password with a connection method (e.g. non-secure web pages, telnet) that does not encrypt passwords as with one that does encrypt passwords (Windows networking, SSH).
To develop such an adequately complex password that will not be hard to remember, you may want to use the method of thinking of an easy to remember phrase or song lyric and base the password on the first character of each word, then mix case, and substitute a number or special character for some of the letters. For example,
It is good to change your password every 6 months = Iig2cyPe6m
To yield a complex password, think of a memorable phrase = 2yaCP,toamp
Of course, you should not these examples for your own password = 0c,UsnUte4yoP