|
StartSafe Information for JMU owned computers
last updated:
Friday May 16, 2008 01:04 PM
If you must store sensitive data associated with JMU
business or constituents on a laptop or other portable device, contact JMU Security Engineering
at it-security@jmu.edu
for assistance.
Most of these instructions apply to Windows computers. For others:
- MacIntosh OS-X
- Linux/Unix
For Windows computers: (
The Desktop Services group in JMU's IT department performs these steps ( except
optional step 9 ) on new Windows computers. All new computers deployed by them over the
past year should have been set up this way. If you get a "hand-me-down"
computer or if your computer isn't set up by Desktop Services, you may want to
verify these settings.)
STEP 1 - Enable a firewall on Windows XP and Windows 2003
Computers. If possible, do this before the computer is ever connected to a
network. Note - New Windows XP computers, those running Windows XP Service Pack
2, and computers running Windows Vista have their firewalls enabled by default
so no action needs to be taken.
Note: Brand new Windows computers come with Windows XP service pack 2 or
Vista which
comes with the firewall enabled by default. If you are setting up a brand new
computer, you can skip this step.
Note: Computers set up by JMU IT Desktop Services and those joined to the JMU
domain have this configuration set for them.
We must enable a firewall to keep criminals and their programs (viruses, worms,
etc.) away from the defects on our
computers. This will allow us to connect to the Internet and install updates to
fix these defects. Afterwards, the firewall will help protect us against future
defects and operating mistakes. This step is only necessary for Windows 2000,
Windows XP, and Windows 2003 computers.
Windows XP and 2003:
- Click Start
- Click Control Panel.
- Click Network and Internet Connections
- Click the Network Connections Control Panel Icon
- Right-click Local Area Connection and select Properties
- Click the Advanced Tab. If you don't have an Advanced Tab,
right-click Local Area Connection again and click Remove from
Bridge. Then go back to Properties and Advanced Tab.
- Check the box labeled "Protect my computer and network by limiting or
preventing access to this computer from the Internet".
- Click OK
- Connect to the network
- Restart the computer
Windows 2000: (optional but recommended)
Right-click
here,
select Save Target As.., and download the firewall2000.exe file.
Create a folder to store the firewall files.
Double-click the downloaded firewall2000.exe file and tell it to install the
firewall files in the folder you created.
Double-click the firewall.hta file in that folder
Select Protect My Computer
Click Start.
Restart the computer
Now you can connect your computer to the network as the firewall will protect
your computer while you fix the defects and vulnerabilities that ship with every
new Windows computer.
STEP 2 - Download and Install All Critical Updates from the Microsoft Windows
Update Web Site
This step will fix the defects in Windows software that let criminals take
control of our computers (and our privacy, our identity, our network, etc.).
This step can be time consuming because there are so many security updates to
install, particularly for older computers. A later StartSafe step will have you
configure your computer so it keeps itself up to date so you don't have to do
this again.
You must repeat the process until you're told that no more critical updates
are available. Doing it once may leave you vulnerable.
To update your Windows Vista computer:
- Open Internet Explorer ( other browsers won't work )
- In the menu bar, click Tools and then select Windows Update
- In the Control Panel window that pops up, click Get updates for more
products. This will start the installation of the Microsoft Update program
which will better keep your computer up to date than the older Windows Update
program.
- Accept the terms of use.
- Click install.
- When the Control Panel window reappears, click Check for Updates and
follow the remaining directions. You'll need to repeat this process until
there are no more critical and security updates available.
To update your Windows 2000, XP, or 2003 computer:
- Open Internet Explorer ( other browsers won't work )
- In the menu bar, click Tools and then select Windows Update.
- If you see "NEW! Get Microsoft Update Today", then
- Follow the instructions to install the new Microsoft Update program which
will better keep your computer up to date than the older Windows Update
program. Then come back here.
- Otherwise,
- Follow the instructions to update your computer. You'll need to repeat
this process until there are no more critical and security updates available.
- If you need them, instructions showing screen shots are available
here but may vary somewhat from what you
actually see depending on versions and platform.
Older Microsoft Windows operating systems ( 95, 98, ME, NT ) are no longer
supported, are not provided with security updates, and cannot be secured so they
should not be used, particularly on a network.
STEP 3 - Download and Install All Critical Updates from the Microsoft Office
Update Web Site
This step will fix the defects in Microsoft Office software that lets criminals
take control of your computer (and your privacy, your identity, our network,
etc.).
If you are running Microsoft Office 2000 ( as opposed to newer versions of
Office ), download and install
the Microsoft patch that makes Office 2000 work like more recent versions
helping to protect you from automatic exploitations of future Office defects.
JMU has purchased a license for Microsoft products making newer versions of
Office available to faculty and staff for their home computers under the "Work
at Home" license terms. Upgrading Office 2000 to a newer version is
particularly recommended.
Installation CDs are available from the JMU Bookstore for $5-$6.
New versions of Office and other Microsoft products can be purchased through
JMU's
Microsoft Select agreement.
STEP 4 - Subscribe to the JMU Windows Software Update Service
Note: Computers set up by JMU IT Desktop Services and those joined to the JMU
domain have this configuration set for them.
Once you are caught up with current critical Windows updates, you'll need to
install new ones that come out about monthly. You can do this manually, or, if you
have a Windows 2000, XP, or 2003 computer, you can subscribe to the JMU or
Microsoft
Windows Software Update service. When you subscribe to either service, your
computer will update itself for you with no further action on your part. Just
select an installation time and your computer will check for updates, download
them, install them, and reboot at your selected time. If your computer is turned
off at your selected installation time, it will perform the installation the
next time it is powered on.
The advantage of the JMU service over the Microsoft service is that updates
are tested longer before being deployed. The advantage of the Microsoft site is
that its easier to set your computer up to use it and it supports more
languages. The JMU service is strongly recommended for all desktop computers and
laptop computers that are connected to the campus network on a daily basis
during working hours.
JMU IT Desktop Services sets up desktop computers to use the JMU service.
Have more questions about the JMU Windows Software Update Service? See the
FAQ.
Caveats:
- Laptops that that are not connected on campus to the campus network
daily during working hours should use the Microsoft service.
- Neither the Microsoft nor the JMU update service supports Office 2000
products. If you are using Office 2000, you will need to visit the
Microsoft
Office Update web site once a month.
- If you have set your computer up to use a language other than English,
use the Microsoft service. The JMU service does not provide non-English
updates.
To subscribe to the Microsoft service, use the directions on the
Microsoft web site. Be sure to return here and complete
the rest of the StartSafe procedures starting at Step 4.
Microsoft's Automatic Update Site directions.
To subscribe to the JMU Windows Update service, use the following instructions:
( Internet Explorer 7 is not currently supported by this configuration utility
as new default security settings must be lowered. A new configuration program
will be provided for Internet Explorer 7 in the future. For now, subscribe to
the Microsoft update service following the directions above. )
1. The JMU web site must
be configured in Internet Explorer's Trusted Security Zone for the configuration application to work. To
do this:
- Click Internet Explorer's Tools menu and select Internet Options
- Click the Security tab
- Click the Trusted Sites picture.
- Click the Sites button
- Uncheck the "Require server verification(https:) for all sites
in this zone" checkbox
- Add http://www.jmu.edu to the list of
trusted web sites
- Click OK until all menus are closed.
2. Click here to
download Microsoft's latest automated update client (
WindowsUpdateAgent30-x86.exe ).
3. Next, you run the JMU configuration program. When you click the link below to run the program, some computers will see a File
Download window similar to the one below for the program that does the actual work. You will need to
click Open or Run (not save)
in response to the question "Would you like to open the file or save it to your
computer?". Note: Internet Explorer will warn you
that accepting such a program from untrusted or unknown sources can be hazardous
to your privacy and the integrity of your computer. Never accept such a
program from an untrusted web site or when it is unexpected.
Some computers will display a warning like the one below two times. Click OK to run the
automated updates configuration program. Never allow this from untrusted web sites or
when the warning is unexpected.
Click here to
proceed (Be sure to unsubscribe from the service before you leave the
university for the summer or permanently)
STEP 5 - Install Anti-Virus Software Provided by JMU
Note: Computers set up by JMU IT Desktop Services and those joined to the JMU
domain have this configuration set for them.
JMU has purchased a site license for
Symantec Corporate Edition that allows all faculty, staff, and students to use
the software both at the office and at home. The advantage of using this
software is that it is provided pre-configured to offer the best security and is
fully supported by the JMU Helpdesk.
Symantec anti-virus software will be installed on your office desktop computer
by your departmental support staff or IT desktop services. It is configured to
automatically update itself from campus update servers and the web at least once
a day.
Having anti-virus software does not protect you from new viruses that are
released daily. A clean virus scan of a program does not mean its safe to run.
You cannot legally install or distribute the JMU licensed Symantec anti-virus software on
computers owned by people who are not current students or employees of JMU. You
can, however, get free anti-virus software elsewhere. Here are three review
articles on free anti-virus software products:
http://www.pcmag.com/article2/0,1895,1864601,00.asp
http://www.pcworld.com/reviews/article/0,aid,124475,00.asp
http://antivirus.about.com/od/antivirussoftwarereviews/a/freeav.htm?rd=1
For affiliates who set up their own computers, the Symantec anti-virus software
can be downloaded from the
Computing Downloads web
page.
STEP 6 - Make sure you have a STRONG password set on the
Administrator account on Windows NT, 2000, XP, and 2003.
Windows computers allow people and programs (or criminals and viruses) that
can guess the Administrator password to take full control of your computer
over the network. This happens quite often. If, when you follow these instructions to set the password, you get an error message like "access
denied" it means you're logged into the machine with a non-privileged
account. Simply logout (Start->Log Off (username)) and log back in as
Administrator using a blank password. If your computer normally logs into
Novell, you'll need to click the box on the login screen that says "workstation
only" so you only log in to the local computer and not Novell.
STEP 7 - Configure your computer to display file names
correctly
Note: Computers set up by JMU IT Desktop Services and those joined to the JMU
domain have this configuration set for them. Windows hides the real names of files from you which makes it easy for virus
writers to fool you. It also makes it difficult to do something which should be
simple - change a file name. You can tell your computer to tell you the truth
about most file names by making the simple change below. On Windows
Vista computers:
- Click Start
- Select Computer
- Select Organize
- Select Folder and Search Options
- Click the View tab
- Scroll down to the line "Hide file Extensions for known file types" and
uncheck the box next to it.
- Click OK
On Windows XP, 2000, and 2003 computers:
- Double-click My Computer
- Click the Tools Menu item and then select Folder Options
- Click the View tab
- Scroll down to the line "Hide file Extensions for known file types" and
uncheck the box next to it.
- Click OK
STEP 8 - Run a Spyware Removal Tool on Your Computer
Several types of malicious programs that are often detected by anti-virus software have become common on the Internet and
many computers have become infected with them. These programs can compromise your
privacy and cause your computer to operate poorly. Two tools, Adaware and SpyBot,
are available on the
JMU Computing
Downloads site.
Depending upon your browsing and download/software installation habits, it
would be a good idea to run one of these programs monthly. You can use the
Windows Task Scheduler to start this automatically so you don't have to
remember. Simply set up the Widows Task Scheduler to run it, for example, on the
second Thursday of every month or whatever schedule would be best for you. To
set this up following these instructions:
- Click Start -> Programs -> Accessories -> System Tools -> Scheduled Task
- Click Add Task
- Select the program and schedule you want to run. It is not necessary to
run both anti-spyware programs every month unless you are very promiscuous
about your web browsing and download/software installation habits.
Note: Anti-spyware and anti-virus programs are always out of date and
susceptible to the newest threats. Using the optional safer
account described in step 10 can prevent even new ones from being able to
fully infect your computer.
Step 9 - Install security updates for other software you may have
installed ( e.g. iTunes, Winamp, Firefox, QuickTime, RealPlayer, Skype, Flash,
Adobe Acrobat Reader )
People often add programs to their Windows computer. Many of these programs
have security defects that
can allow criminals and viruses to take control of the computer. Check the list of
critical security updates for software
that you may have installed on your computer. You only need to update these
programs if they have been installed on your computer. A list of programs
installed on a Windows computer can be found in the 'Add or Remove Programs'
Control Panel. Download locations for programs commonly installed that have
serious and/or actively exploited security defects are listed below:
Step 10 - Password protect your screen saver
Set your screen saver up so that you're required to type your password before
it will unlock. On Windows XP:
- right-click any blank portion of the screen and select properties
- click the Screen Saver tab
- Click the On resume, password protect checkbox
STEP 11 - Configure your e-mail client to keep your
communications with the JMU e-mail server private
If you use an IMAP or POP e-mail client ( e.g. Outlook, Thunderbird,
Entourage, Netscape, Eudora ) set it up to require SSL protected sessions.
Instructions for the JMU e-mail service can be found
here.
In addition to ensuring your communications are private, if you don't do
this, you may not be able to reach the JMU e-mail server from off-campus.
Step 12 ( optional but STRONGLY recommended ) -
Set up and use a safer account for day to day use
Safer accounts for day to day use on Windows XP and Vista computers can be set up fairly simply. If you want to take one more step that will reduce risk more effectively
than many of the other recommendations,
set up
a limited account on your Windows XP computer for day to day use (
procedure for Windows Vista is similar except that the account is called
'standard' instead of 'limited' ). Most of
today's viruses and spyware will not install when using such an account. If
they do install, their damage will be limited. If you don't use such an
account, the chances are high your computer will be infected with
Spyware and other unwanted programs, particularly if you use Internet Explorer
as your browser.
Step 13 - Review Information on Safe Operating
Practices and Current Threats and Issues
Once you have set up your computer in a way that will protect it and you, it is
important to realize that your operating habits can reverse all the work you've
done and allow criminals or viruses to take control of your computer or
information. Please review the
JMU Computing Security web page for
guidelines on operating it in a safe manner, common mistakes, and current
threats and issues. If you handle constituent, partner, financial, or other sensitive
information, please review the
Protecting Sensitive
Information material. If you must store
sensitive data associated with JMU business or constituents on a laptop or other portable
device, contact JMU Security Engineering at
it-security@jmu.edu for assistance.
Addendum:
- File/Music Sharing Programs
- USB Portable Storage Devices
File/Music Sharing Programs
If not configured, maintained, and operated properly, file sharing programs
may be the cause of numerous problems:
- They may share sensitive information stored on your computer with the
whole world
- They may share copyrighted information stored on your computer exposing
you to serious fines, legal problems, and/or action by JMU offices such as
Judicial Affairs, Human Resources, and JMU IT.
- Security defects in the software may allow others to take control of your
computer
- They may expose you to malicious files
The University of Chicago has published a
comprehensive web
providing instructions to prevent popular file sharing programs from publishing
to the Internet. It is strongly recommended that you use the instructions to
disable publishing.
These programs must not be installed on computers processing or storing JMU
sensitive data.
If there is not an academic or business need for the program, it should not
be installed on a JMU owned computer.
USB Portable Storage Devices
There are large numbers of malicious programs circulating that will infect
such devices or allow such devices to infect computers to which they are
connected. USB devices include USB keys, USB disk drives, cameras, and digital
picture frames. Risk reduction measures:
- Do not plug or allow others to plug unknown or untrusted USB devices of
any type into your computer, particularly if the computer processes or stores
sensitive data. On Windows computers, hold the shift key down while inserting
the device and continue holding it down until windows tells you the device is
ready. This will disable any autorun functionality. You may need to double
click the folder to view the contents and, if trusted, open individual files.
- Use caution when plugging your USB device into an unknown or untrusted
computer. If the device has a write protect switch, use it. If the device
contains sensitive data, do not plug it into unknown or untrusted computers at
all.
JMU sensitive data must not be stored on such devices without prior approval
and only then if it is encrypted.
|
