StartSafe Information for JMU owned computers

If you must store sensitive data associated with JMU business or constituents on a laptop or other portable device, contact JMU Security Engineering at it-security@jmu.edu for assistance.

When ordering Dell laptops from the JMU purchasing pages, be sure to specify the encrypting hard drive option. It is difficult to determine when sensitive data may be stored on a computer. For example, it may be cached from a Peoplesoft web page or an Office document stored on the network but edited on the computer. Also, if you temporarily store such a file on your computer "deleting it" does not actually delete it. It remains on the hard drive until something else overwrites it. For this reason, it is strongly recommended that the encryption functionality of the encrypting hard drives on all new Dell computers be enabled by JMU Desktop Services.

Most of these instructions apply to Windows computers. For others:

• MacIntosh OS-X
  • Use the Apple Software Update feature to keep defects fixed in your Apple software that may allow a criminal or virus to take control.
  • Check vendor sites for additional software you have installed to see if they have posted security updates. If the product supports automatic updating functionality, enable it.
  • If you have Microsoft Office for MacIntosh 2004 installed, set it up for automatic updates as described on this San Francisco State University web page.
  • Install JMU provided Symantec anti-virus software
  • Configure the computer so it shows file names correctly.
    • Select Preferences under the Finder menu
    • Click on the Advanced tab
    • Check the box labeled Show all file extensions
  • Risk can be further reduced by using a "least privilege" account for day to day use. Instructions.
  • Addendum
    • File and Music Sharing Programs
    • Portable USB storage devices

For Windows computers:

JMU Information Technology currently manages thousands of JMU owned windows computers. In doing so, Microsoft and third party software is kept up to date with security updates, the computers are configured to minimize the risk of infection,  sensitive data is inventoried, and risk, threats, and operations are proactively monitored. Areas of campus choosing to perform their own management need to duplicate this functionality in order to maintain a stable, operational network and minimize the chance of exposure of sensitive constituent data.

The following steps are all taken care of on Windows computers managed by IT. Step 9 is particularly time consuming, tedious, and errorprone if attempted manually be individuals. A list of software currently maintained by IT and more detail about desktop management services can be found on the Computing web page.

Windows versions prior to Windows XP Service Pack 3 are no longer supported by Microsoft and are not safe to use due to unavailability of security updates.  Unsupported versions include XP SP2, Windows 2000, and Windows ME/98/95/NT.

Microsoft Office 2000 and prior versions are no longer supported by Microsoft and are not safe to use due to unavailability of security updates. New versions of Office and other Microsoft products can be purchased through JMU's Microsoft Select agreement.

• Step 1 - Enable the Windows firewall.
• Step 2 - Download and install all critical security updates from the Microsoft Windows update web site
• Step 3 - Set your computer up to download and install future critical security updates automatically
• Step 4 - Install anti-virus software provided by JMU
• Step 5 - Configure your computer to display file names correctly
• Step 6 - Install  security updates for other software you may have installed ( e.g. iTunes, Winamp, Firefox, QuickTime, RealPlayer, Skype, Flash, Adobe Acrobat Reader )
• Step 7 - Password protect your screen saver.
• Step 8- Set up and use a safer account for day to day use
• Step 9 -Review Information on Safe Operating Practices and Current Threats and Issues
• Addendum
  • File and Music Sharing Programs
  • Portable USB storage devices

STEP 1 - Enable the Windows firewall on Windows 2003 Computers.

---

All currently supported versions of Microsoft Windows except 2003 come with the firewall enabled. Therefore, unless you've disabled it, there is nothing for you to do here.

We must enable a firewall to keep criminals and their programs (viruses, worms, etc.) away from the defects on our computers. This will allow us to connect to the Internet and install updates to fix these defects. Afterwards, the firewall will help protect us against future defects and operating mistakes. This step is only necessary for Windows 2000, Windows XP, and Windows 2003 computers.

Windows XP and 2003:

1. Click Start
2. Click Control Panel.
3. Click Network and Internet Connections
4. Click the Network Connections Control Panel Icon
5. Right-click Local Area Connection and select Properties
6. Click the Advanced Tab. If you don't have an Advanced Tab, right-click Local Area Connection again and click Remove from Bridge. Then go back to Properties and Advanced Tab.
7. Check the box labeled "Protect my computer and network by limiting or preventing access to this computer from the Internet".
8. Click OK
9. Connect to the network
10. Restart the computer

 The Windows firewall is pre-configured on all IT managed Windows computers.

STEP 2 - Download and Install All Critical Updates from the Microsoft Windows  Web Site

This step will fix the defects in Windows software that let criminals take control of our computers (and our privacy, our identity, our network, etc.). This step can be time consuming because there are so many security updates to install, particularly for older computers. A later StartSafe step will have you configure your computer so it keeps itself up to date so you don't have to do this again.

You must repeat the process until you're told that no more critical updates are available. Doing it once may leave you vulnerable.

To update your Windows Vista or Windows 7 computer:

• Open Internet Explorer ( other browsers won't work )
• In the menu bar, click Safety and then select Windows Update
• In the Control Panel window that pops up, click Get updates for more products. This will start the installation of the Microsoft Update program which will better keep your computer up to date than the older Windows Update program.
  • Accept the terms of use.
  • Click install.
• When the Control Panel window reappears, click Check for Updates and follow the remaining directions. You'll need to repeat this process until there are no more critical and security updates available.

To update your Windows XP computer:

• Open Internet Explorer ( other browsers won't work )
• In the menu bar, click Safety and then select Windows Update.
• If you see "NEW! Get Microsoft Update Today", then
  • Follow the instructions to install the new Microsoft Update program which will better keep your computer up to date than the older Windows Update program. Then come back here.
• Otherwise,
  • Follow the instructions to update your computer. You'll need to repeat this process until there are no more critical and security updates available.
• If you need them, instructions showing screen shots are available here but may vary somewhat from what you actually see depending on versions and platform.

Older Microsoft Windows operating systems ( XP-SP2, 2000, 95, 98, ME, NT ) are no longer supported, are not provided with security updates, and cannot be secured so they should not be used, particularly on a network.

STEP 3 - Set up your computer to automatically download future updates

Once you are caught up with current critical Windows updates, you'll need to install the new ones that come out about monthly. You can do this manually ( not recommended ) or you can set it up so that it takes care of itself ( recommended ). Your computer will check for updates, download them, install them at a time specified by you, and reboot all on its own.  If your computer is turned off at your selected installation time, it will perform the installation the next time it is powered on.

To set up the automatic updates, follow the instructions at Microsoft's Automatic Update Site.

JMU IT operates its own update site on campus for IT managed computers. This allows additional testing in the JMU environment and customized release schedules.

STEP 4 - Install Anti-Virus Software Provided by JMU

Anti-virus software must be installed to protect you from criminally written programs that you may inadvertently run on your computer or that criminals may force on your computer by using software defects. JMU has purchased a site license for Symantec Endpoint Protection software that allows all faculty, staff, and students to use it both at the office and at home. The advantage of using this software is that it is provided pre-configured to offer the best security and is fully supported by the JMU Helpdesk.

The version available on the JMU downloads page SHOULD NOT BE USED ON JMU OWNED COMPUTERS ON CAMPUS. THAT VERSION IS ONLY FOR PERSONAL AND STUDENT COMPUTERS. If your computer is not managed by IT, contact your local technical support for instructions on obtaining the software. Local technical support and desktop management personnel should contact JMU Information Technology Desktop Services to get a copy of the software so it can be properly configured for campus use before distributing it to your clients.

Having anti-virus software does not protect you from new viruses that are released daily. A clean virus scan of a program does not mean its safe to run.

You cannot legally install or distribute the JMU licensed Symantec anti-virus software on computers owned by people who are not current students or employees of JMU. Microsoft itself offers a product called Security Essentials that is free for home computers.

Installations managed by JMU report to a central console by department for virus infection monitoring and are automatically updated to detect new virus definitions.

STEP 5 - Configure your computer to display file names correctly

Windows hides the real names of files from you which makes it easy for virus writers to fool you. It also makes it difficult to do something which should be simple - change a file name. You can tell your computer to tell you the truth about most file names by making the simple change below.

On Windows 7 and Windows Vista computers:

• Click Start
• Select Computer
• Select Organize
• Select Folder and Search Options
• Click the View tab
• Scroll down to the line "Hide file Extensions for known file types" and uncheck the box next to it.
• Click OK

On Windows XP:

• Double-click My Computer
• Click the Tools Menu item and then select Folder Options
• Click the View tab
• Scroll down to the line "Hide file Extensions for known file types" and uncheck the box next to it.
• Click OK

Step 6 - Install  security updates for other software you may have installed ( e.g. iTunes, Winamp, Firefox, QuickTime, RealPlayer, Skype, Flash, Adobe Acrobat Reader )

People often add programs to their Windows computer. Many of these programs have security defects that can allow criminals and viruses to take control of the computer. In fact, these programs are currently more often the target of attacks and more responsible for infections than Microsoft software. A partial list of programs installed on a Windows computer can be found in the 'Add or Remove Programs' Control Panel.

Download locations for programs commonly installed that have serious and/or actively exploited security defects are listed below:

• Adobe Acrobat: http://www.adobe.com/go/getreader
• Adobe Flash: http://www.adobe.com/shockwave/download/alternates/
• Realplayer: http://www.real.com/realplayer.html
• QuickTime for Windows: http://www.apple.com/support/downloads/
• WinZip: http://www.winzip.com/wz7245.htm
• WinAmp: http://www.winamp.com/player/
• Java: http://www.java.com/en/download/manual.jsp
  • Handling Java updates is complicated. First, you have to know if it is installed. Second, you have to know which of three versions you have ( 1.4.x, 1.5.x, 1.6.x ). There are a variety of ways to do this. Perhaps the simplest is to visit the www.java.com web site and let it automatically detect it for you.
    • Visit the following web site and click the 'Verify now' link:
    http://www.java.com/en/download/installed.jsp
    • If you don't have it installed, don't install it.
    • If you have it installed, the best general recommendation is to uninstall any old versions and install the latest version of 1.6, also known as 'Java 6'. The only exception to this recommendation is if you need one of the older versions, ( 1.4 or 1.5 ) for a particular application you run. This isn't likely to be the case unless you've installed special software that requires Java or access a special web site that requires it. For the vast majority of people, the latest version of 1.6 is the best solution. The latest update for any of the three versions can be installed through the http://www.java.com/en/download/manual.jsp web site.
    • Old versions must be manually uninstalled using the Windows 'Add or Remove Programs' Control Panel.

IT managed computers have many of the most common software titles monitored and updated automatically. In addition to the titles on the list, as threats surface other packages are added and/or configurations and workarounds are applied to minimize risk.

Step 7 - Password protect your screen saver

Set your screen saver up so that you're required to type your password before it will unlock.

• right-click any blank portion of the screen and select properties
• click the Screen Saver tab
• Click the On resume, password protect checkbox

  All IT managed computers have passwords enabled on their screen saver.

Step 8  - Set up and use a safer account for day to day use

Safer accounts for day to day use on Windows 7, Vista, and XP  computers can be set up fairly simply. If you want to take one more step that will reduce risk more effectively than many of the other recommendations, set up a limited account on your Windows 7 computer for day to day use ( procedure for Windows XP and Windows Vista is similar except that the account on Windows XP is called 'limited' instead of 'standard').

Many of today's viruses and spyware will not install when using such an account. If they do install, their damage will be limited.

All IT managed computers have a safer user account set up for daily use. In addition, several technologies make it easier to use such accounts. Systems Management Services provides prepackaged software and updates that normally require the use of a more risky administrator account to be installed using the safer regular user acccount. BeyondTrust Privilege Manager enables many functions that normally require the risky administrator account to be performed with a safer, regular user account. Many desktop administration functions require administrative privileges if attempted manually be the operator of the computer. These tasks are mostly eliminated in the managed environment. Finally, Desktop Services can help analyze old and poorly written applications that still require adminstrator accounts to run. Altering various system privileges can often allow these applications to run under a regular user account without putting the computer at additional risk.

Step 9 - Review Information on Safe Operating Practices and Current Threats and Issues

Once you have set up your computer in a way that will protect it and you, it is important to realize that your operating habits can reverse all the work you've done and allow criminals or viruses to take control of your computer or information.  Please review the JMU Computing Security web page for guidelines on operating it in a safe manner, common mistakes, and current threats and issues. If you must store sensitive data associated with JMU business or constituents on a laptop or other portable device, contact JMU Security Engineering at it-security@jmu.edu for assistance.

Addendum:

• File/Music Sharing Programs
• USB Portable Storage Devices

File/Music Sharing Programs

If not configured, maintained, and operated properly, file sharing programs may be the cause of numerous problems:

• They may share sensitive information stored on your computer with the whole world
• They may share copyrighted information stored on your computer exposing you to serious fines, legal problems, and/or action by JMU offices such as Judicial Affairs, Human Resources, and JMU IT.
• Security defects in the software may allow others to take control of your computer
• They may expose you to malicious files

These programs must not be installed on computers processing or storing JMU sensitive data.

If there is not an academic or business need for the program, it should not be installed on a JMU owned computer.

USB Portable Storage Devices

There are large numbers of malicious programs circulating that will infect such devices or allow such devices to infect computers to which they are connected. USB devices include USB keys, USB disk drives, cameras, and digital picture frames. Risk reduction measures:

• Do not plug or allow others to plug unknown or untrusted USB devices of any type into your computer, particularly if the computer processes or stores sensitive data. On Windows computers, hold the shift key down while inserting the device and continue holding it down until windows tells you the device is ready. This will disable any autorun functionality. You may need to double click the folder to view the contents and, if trusted, open individual files.
• Use caution when plugging your USB device into an unknown or untrusted computer. If the device has a write protect switch, use it. If the device contains sensitive data, do not plug it into unknown or untrusted computers at all.

JMU sensitive data must not be stored on such devices without prior approval and only then if it is encrypted.

• Configure the computer to automatically check for and install updates on a regular schedule using methods appropriate for the distribution you are using.
• Risk can be further reduced by using a "least privilege" account for day to day use.
• https://www.redhat.com/security/