StartSafe Recommendations for JMU owned Windows, Macintosh, and Linux computers
Phishing is as serious a problem as computer viruses. Learn how to avoid fake e-mail and web sites and protect both your JMU and personal accounts. View the video and take the IsItReal? game challenge.
JMU Highly Confidential data (e.g. SSN, banking account numbers, credit cards) about people other than yourself must not be stored on personally owned devices. Any unauthorized storage of JMU Highly Confidential or Protected Data is a violation of university policy. Such data must not be stored in a way that it is exposed to unauthorized access physically or electronically.
When ordering Dell laptops from the JMU purchasing pages, be sure to specify the encrypting hard drive option.
MacIntosh OSX Computers (see Mobile section for recommendations for iPads, iPhones, etc.)
Windows versions prior to Windows Vista are no longer supported by Microsoft and are not safe to use as Microsoft no longer provides security updates for these vrsions. Unsupported versions include XP, Windows 2000, and Windows ME/98/95/NT. These computers may be disconnected from the JMU network without warning if they pose a risk to JMU operations or constituent data.
Microsoft Office versions prior to Office 2003 Service Pack 3 are no longer supported by Microsoft and are not safe to use due to the absence of security updates. New versions of Office and other Microsoft products can be purchased through JMU's Microsoft Select agreement.
JMU Information Technology currently manages thousands of JMU owned windows computers. In doing so, Microsoft and third party software is kept up to date with security updates, the computers are configured to minimize the risk of infection, sensitive data is inventoried, and risk, threats, and operations are proactively monitored. Areas of campus choosing to perform their own management need to duplicate this functionality in order to maintain a stable, operational network and minimize the chance of exposure of sensitive constituent data.
The following steps are all taken care of on Windows computers in the JMU Active Directory Domain managed by the Information Technology Department. Step 9 is particularly time consuming, tedious, and errorprone if attempted manually by individuals. A list of software currently maintained by IT and more detail about desktop management services can be found on the Computing web page.
All versions of Microsoft Windows after Windows XP Service Pack 2 (Vista, Windows 7) come with the firewall enabled. Therefore, unless you've disabled it, there is nothing for you to do here.
We must enable a firewall to keep criminals and their programs (viruses, worms, etc.) away from the defects on our computers. This will allow us to connect to the Internet and install updates to fix these defects. Afterwards, the firewall will help protect us against future defects and operating mistakes. This step is only necessary for Windows XP and older computers of Windows. The Windows Vista and Windows 7 firewall is turned on by default.
The Windows firewall is pre-configured on all IT managed Windows computers.
This step will fix the defects in Windows software that let criminals take control of our computers (and our privacy, our identity, our network, etc.). This step can be time consuming because there are so many security updates to install, particularly for older computers. A later StartSafe step will have you configure your computer so it keeps itself up to date so you don't have to do this again.
You must repeat the process until you're told that no more critical updates are available. Doing it once may leave you vulnerable.
To update your Windows 8 computer:
To update your Windows 7 or Windows Vista computer:
Older Microsoft Windows operating systems ( XP, 2000, 95, 98, ME, NT ) are no longer supported, are not provided with security updates, and are not safe to use on a network.
Once you are caught up with current critical Windows updates, you'll need to install the new ones that come out about monthly. You can do this manually ( not recommended ) or you can set it up so that it takes care of itself (recommended). Your computer will check for updates, download them, install them at a time specified by you, and reboot all on its own. If your computer is turned off at your selected installation time, it will perform the installation the next time it is powered on.
To set up the automatic updates, follow the instructions at Microsoft's Automatic Update Site. Windows Vista, Windows 7 and Windows 8 computers are setup for automatic updates by default.
JMU IT operates its own update site on campus for IT managed computers. This allows additional testing in the JMU environment and customized release schedules.
Anti-virus software must be installed to protect you from criminally written programs that you may inadvertently run on your computer or that criminals may force to run on your computer by using unknown defects. JMU has purchased a site license for Symantec Endpoint Protection software that allows all faculty, staff, and students to use it both at the office and at home. The advantage of using this software is that it is provided pre-configured to offer the best security and is fully supported by the JMU Helpdesk.
The version available on the JMU downloads page SHOULD NOT BE USED ON JMU OWNED COMPUTERS ON CAMPUS. THAT VERSION IS ONLY FOR PERSONAL AND STUDENT COMPUTERS. If your computer is not managed by IT, contact your local technical support for instructions on obtaining the software. Local technical support and desktop management personnel should contact JMU Information Technology Desktop Services to get a copy of the software so it can be properly configured for campus use before distributing it to your clients.
Having anti-virus software does not protect you from new viruses that are released daily. A clean virus scan of a program does not mean it's safe to run.
You cannot legally install or distribute the JMU licensed Symantec anti-virus software on computers owned by people who are not current students or employees of JMU. Microsoft offers a product called Microsoft Security Essentials that is free for home computers.
Installations managed by JMU report to a central console by department for virus infection monitoring and are automatically updated to detect new virus definitions.
Windows hides a file’s complete name making it easy for virus writers to fool you. It also makes it difficult to change a file’s name. You can configure your computer to show the full name of most files by making the simple change below.
On Windows 8 computers:
On Windows 7 and Windows Vista computers:
Step 6 - Install security updates for other software you may have installed ( e.g. iTunes, Winamp, Firefox, QuickTime, RealPlayer, Skype, Flash, Adobe Acrobat Reader )
People often add programs to their Windows computer. Many of these programs have security defects that can allow criminals and viruses to take control of the computer. In fact, these programs are currently more often the target of attacks and more responsible for infections than Microsoft software. A partial list of programs installed on a Windows computer can be found in the 'Add or Remove Programs' Control Panel.
Download locations for programs commonly installed that have serious and/or actively exploited security defects are listed below:
IT managed computers have many of the most common software titles monitored and updated automatically. In addition to the titles on the list, as threats surface other packages are added and/or configurations and workarounds are applied to minimize risk.
Set your screen saver up so that you are required to type your password before it will unlock.
All IT managed computers have passwords enabled on their screen saver.
Standard accounts for day to day use on Windows 7, Vista, and XP are safer and easy to setup. If you want one step that will reduce risk more effectively than many of the other recommendations, set up a “standard” account on your Windows 7 /Vista or Windows 8 computer for day to day use ( procedure for Windows XP and Windows Vista is similar except the account is called 'limited' instead of 'standard').
Many of today's viruses and spyware will not install when using such an account. If they do install, their damage should be limited.
All IT managed computers have a standard user account set up for daily use. In addition, several technologies make it easier to use such accounts. Systems Management Services provides prepackaged software and updates that normally require the use of a more risky administrator account to be installed using the standard regular user account. BeyondTrust Privilege Manager enables many functions that normally require the risky administrator account to be performed with a safer, standard user account. Many desktop administration functions require administrative privileges. These tasks are mostly eliminated in the managed environment. Finally, Desktop Services can help analyze old and poorly written applications that still require administrator accounts to run. Altering various system privileges can often allow these applications to run under a regular user account without putting the computer at additional risk.
Once you have set up your computer in a way that will protect it and you, it is important to realize that your operating habits can reverse all the work you've done and allow criminals or viruses to take control of your computer or information. Please review the JMU Computing Security web page for guidelines on operating it in a safe manner, common mistakes, and current threats and issues.
JMU Highly Confidential data (e.g. SSN, banking account numbers, credit cards) about people other than yourself must not be stored on personally owned devices. Unauthorized storage of JMU Highly Confidential or Protected Data is a violation of university policy. Such data must not be stored in a way that it is exposed to unauthorized access physically or electronically.