Security basic best practice for Users

Denis A Nicole
2004-08-27

[this was prepared as a result of discussion at the Faculty IT Forum meeting on 2nd September 2003]

*** Don't forget to install Windows XP Service Pack 2 ***

Background

Backups

You will suffer inconvenience and lose data as a result of hostile hacking, by virus attack or otherwise, on your system. We need to keep the threat in proportion; it is perhaps comparable to the very real and actual risks of having your laptop stolen, having the building burn down, or having your workstation stolen or damaged during a break-in. All these things happen regularly and your only real protection is regular backups to non-volatile media. Your School may do this for you, or you may choose regularly to write CDs yourself, but it must be done. Data stored in only one place does not really exist. You will receive little or no sympathy over data lost from a workstation or laptop.

So, above all else for your own protection, you need to ensure that you have a systematic and regular backup process. You should also ensure that your backups can be read on systems other than the one which created them. It is easy to fall into a false sense of security while writing unreadable tapes/CDs.

[somebody should expand on how to do this...]

Security

Backups provide your ultimate protection. Security allows you to get on with your work. There are other important reasons to keep your system secure:

The effective use of IT resources is an essential part of the business activities of the University. Deliberate interference with this part of University life is not treated lightly; abusers have been prosecuted. 

Support

These notes will not make you an expert on system security. I'm not one. While the principles remain the same, the details of attacks and vulnerabilities change quite rapidly and you really need to be a full-time professional support person to be able to keep up with what is happening. We have some very good support staff in the University. Indeed, one of the principal anti-virus and anti-spam tools is written and maintained by one of our people. The University is only rarely deliberately targeted but, when it has happened, they have responded professionally and effectively by protecting our users and catching the culprits. Most of the time, however, the problems are part of a wider attack on the Internet community.

It is for you and your support team to agree the degree of involvement you and they have in the management of your computer systems. You are probably best off letting them do as much as they are willing; the notes below are to help you understand what is happening, an to protect systems that they cannot manage for you.

Passwords and Remote Access

[Don't use easy to guess passwords. Never use telnet or password-protected ftp. Ssh2 and scp are the modern alternatives.]

Email

[Attachments and mail browser bugs are the main entry points for current viruses.  Make sure your School runs Mailscanner. Don't run smtp yourself. Never ever rise to the bait and reply to spam; it only confirms your valid address. Don't open web pages that arrive in spam either; that too is a way of confirming addresses. Sometimes web links can be barely visible...] 

Windows Systems

First, if at all possible, you should be running the most recent stable version of the operating system. This is currently Windows XP. Old OSes are not maintained as rigorously and lack modern security features. Beyond that, there are several important protections, which follow closely Microsoft's advice Protect your PC:

Security Centre

This is a new feature of Windows XP service pack 2. Amongst other things, it manages automatic updates to the Operating System; you shouldn't need to use Windows Update manually at all.

Windows Update

Windows Update requires you to use the Internet Explorer browser that comes with Windows; Update  is normally installed on your Start menu but you can also access it directly at http://windowsupdate.microsoft.com. You can also enable automatic updates using
Start->(R-click) My Computer->Properties->Automatic Updates
 You should check daily for critical updates. You should also check for Microsoft Office updates at http://office.microsoft.com/productupdates/. This is probably the most important protection for your system.

It is, however, not all completely straightforward. A gotcha with the Windows Update system on Windows XP; patch 811494 (M502-013) was superseded without changing the patch number. So, Windows Update will not update the patch and you have to install it manually. The symptom of the problem is poor disk performance.

Sophos (applies in this form to U Southampton users only)

The notes below are out of date. They still work, but the modern way to automate update of both Sophos itself and the virus signatures is by using the Sophos Remote Update software and either the School or University server.

You need to install Sophos itself, from http://www.software.soton.ac.uk/software/Sophos/ ; you want the latest
      Product: Sophos Anti Virus Toolkit vX.XX
      OS: WinNT/2000/XP
This is a password protected page for which you need your ISS (SUCS) user ID and password.

Just follow the instructions for the default configuration.

If your computer is in a Domain, it is possible to have both the Sophos program itself and the set of virus signatures automatically updated by a special program. This requires a special installation of Sophos. You will not be able to set this up yourself; your Domain Administrator has to enter the password for the sweepupd user during the installation. There are lots of implications if you decide to join a Domain; I normally choose not to.

Outside a domain, you can only autoupdate the virus signatures. To do this you need the sget web downloader which is provided by Sophos; it is at http://www.software.soton.ac.uk/software/Sophos/sget.exe and it needs to go in your "%ProgramFiles%\Sophos SWEEP for NT" directory. This is a password protected page for which you need your ISS (SUCS) user ID and password.

Copy this update.cmd script to the same place. It needs to be run at least daily:

set VERSION=382
%SystemDrive%
cd %ProgramFiles%
cd "Sophos SWEEP for NT"
sget http://www.sophos.co.uk/downloads/ide/%VERSION%_ides.exe
del *.ide
%VERSION%_ides.exe
del %VERSION%_ides.exe
net stop sweepsrv.sys
net start sweepsrv.sys
date/t
time/t

Set VERSION appropriately for the Sophos version X.XX you have installed. Note that, unless you unpack the .ide files in a separate directory, you really do need to delete the old ones before unpacking 373_ides.exe, or the unpack might fail. You can run this manually or, alternatively, you can automate it to run daily at, say, 04:30. Go to
Start->Control Panel->Scheduled Tasks->Add Scheduled Task and follow the instructions. My scheduled task looks like this:


and yes, I did have to enter my password.

You also need to update the Sophos program itself monthly by hand, by reinstalling it from the University web site and you need to update VERSION in the above script appropriately.

For further information, see http://www.sophos.com/support/faqs/comdown.html.

Free Anti-Virus Software

If you do not have the right to use Sophos, there are alternatives:

Anti-Spybot Software

Microsoft Internet Connection Firewall for XP

You want to run this on all your machines. It is vital for systems outside University and School firewalls, it is also a good idea if you are inside. Follow the instructions at http://www.microsoft.com/WINDOWSXP/home/using/howto/homenet/icf.asp. I only enable a few ports on my workstation:

Depending on your machine configuration, you may wish to add a few other ports such as RPC/DCOM (For Microsoft Exchange) at 135. Leaving that one out would, however, have saved you from the recent MSBlaster worm. You definitely do not want to enable the well-known-risk services FTP, Telnet or TFTP.

Microsoft Baseline Security Analyser

This is mainly a check on the way you have configured your system, with open accounts, weak passwords etc.; it can be found at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/Tools/mbsahome.asp. Download it; run it; do what it says.

Malware

Even with the standard precautions, I still get infected with malware. There are several useful places to look in order to get rid of unwanted periodic pop-ups etc. On my list for Windows are:

Other useful odds and ends

These are not so much for use as to warn you what's out there.

Linux Systems

[Run the latest RedHat. Keep it regularly updated. Enable the firewall. Run Sophos?]