StartSafe - Without these initial steps, your computer is almost guaranteed to be infected and your information compromised

last updated: Tuesday November 06, 2007 02:56 PM

Click the link below corresponding to your situation to determine the proper StartSafe steps:

• Students setting up a new computer that has never been connected to the Internet in the past
•  
• Home or residence hall computer
•  
• JMU owned computer

Different risks apply to a computer depending upon the network on which it resides. In some ways, a computer on the JMU network is subject to less risk than a home computer because of the security measures JMU has implemented. In other ways, the computer is subject to more risk because of the number of neighboring computers on the network and our bandwidth.

In general:

• A computer that has been on a home network and brought to campus, may be exposed to things it was not exposed to at home from neighboring computers, particularly in the student network. To reduce risk, StartSafe guidelines should be followed before connecting such a computer to the campus network.
• A computer that has been on the JMU network and protected by its security measures, may be exposed to more risk when moved off the JMU network, particularly to a home internet connection. Web and e-mail based threats, in particular, may be more of a problem. In addition,  the results of a mistake in computer operation or maintenance will often have more serious effects due to the lack of the damage control measures and monitoring provided by JMU. When taking a computer off the JMU network, conservative operation and optional risk reduction steps, like those described below, become more important.

Optional Risk Reduction Measures that will protect you and your computer even more

The steps described in the sections above are the absolute minimum steps required for all computers. If they are not done, the computer is almost certain to be infected and compromised. They are equivalent to buckling a seat belt before driving. The following steps go beyond the beginner steps and may require additional computer knowledge and/or a willingness to trade some convenience, time, or functionality for additional risk reduction. They're oriented toward individuals more proficient with computers or as guidelines for support staff implementing organizational standards.

Intermediate Risk Reduction Measures

• Initial computer setup ( StartSafe )
  • Use a least privilege user account for day to day use. This will probably do more to improve your security with the least tradeoffs than any other step. Instructions for Windows XP computers can be found here ( procedure for Windows Vista is similar except that the account is called 'standard' instead of 'limited' ). For MacIntosh computers, here. For unix computers, don't use the root account.
  • Set up your IMAP or POP e-mail client ( e.g. Outlook, Thunderbird, Entourage, Netscape, Eudora ) to require SSL protected sessions. Instructions for the JMU e-mail service can be found here.
  •  
  • The Cassandra service will allow you to set up profiles indicating products of interest to you and receive email notifications when vulnerabilities associated with those products are reported. The service is offered by the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University.
  • Configure your e-mail client to display messages as text rather than HTML and disable use of Microsoft Word to read messages. Windows Outlook and Outlook Express instructions can be found here.
  • Configure your e-mail client to disable script execution in messages. This is the default for common clients released the last couple years and is mentioned here for completeness.
  • If you set up a wireless network or make frequent use of public wireless networks review this material Wireless Network Usage and Setup Information
  • Windows specific:
    • Upgrade to Internet Explorer 7
    • Enable the Data Execution Protection (DEP) feature on Windows XP for all programs. This may cause problems with some programs but any that experience problems can easily be put in an exception list. If you get a message about a program you start being closed to protect your computer, it will give you an option to change settings so you can add the program to the exception list making it easy to use.
    • Enable auditing using local security policy or group policies
    • Use Microsoft's Baseline Security Analyzer tool  on a bimonthly basis and after changes to check your work. It will report many common security mistakes.
    • Disable the ability for the administrator account to login to the computer over the network using local security policy or group policies
    • Configure Internet Explorer security policy so that cutting and pasting from the clipboard is disabled. This prevents malicious web sites from reading data that may be in your clipboard.
    •  
• Operational/Behavioral
  • Open suspicious or unknown documents using the program you think is appropriate for the document rather than double-clicking it and letting the operating system decide. For example, if you receive resume.doc in an email attachment or some other way, instead of double-clicking it, save it to your hard drive, open Microsoft Word, and use the File->Open menu to open the file.

Advanced Risk Reduction Measures

Generally harder to accomplish and more visible than the intermediate steps

• Initial computer setup ( StartSafe )
  • Disable scripting and other browser functionality that increases risk. If using Internet Explorer, you can do this selectively allowing trusted sites to have more functionality and control over your browser than untrusted or unknown ones. Add-ons for some other browsers exist ( e.g. noscript for Firefox ) to provide similar functionality. This is probably one of the most effective measures at reducing the risk associated with the constant security defects in browsers we're all exposed to.
  • Disable all unnecessary processes, services, and network listeners.
  • Use file integrity monitoring software  to detect system changes
  • Use host intrusion detection/prevention software ( e.g. Snort, Windows Defender ) to warn about or stop defined network or system behaviors.
  • Use Windows XP Software Restriction Policies to limit the computer to running only approved programs. This is particularly recommended for shared or unattended computers or those used by children.
• Operational/Behavioral
  • Monitor system and application logs for unusual activity. This is best done with automated log parsing and reporting tools.

Under consideration:

Windows Defender after it leaves Beta status