Individual Workstation Security Guidelines  

These guidelines apply to computing devices that are used as workstations by staff and faculty of the University of Connecticut.  Many of the guidelines also apply to portable computers, laptops, and other devices that may be temporarily connected to the University computer network or used in University settings.  The guidelines generally are not directed toward that operate as network, database, or e-mail servers. 

The following guidelines have been placed into three categories.  In some instances, a guideline may seem to apply to more that one category, but has been placed in only one to minimize redundancy.

Confidentiality is the assurance that data can only be seen or used by people that are properly authorized to see or use the data.
  • Use password-protected startup procedures, especially for workstations connected to the University network.
  • When systems will not be used for extended times (for example, at night or over weekends) turn off the workstations.  Note that some departments may have processes for off-hour virus scanning, data backups, or software update distribution.  These processes may impact decisions about turning off workstations.
  • Do not leave your PC logged on to any application requiring authentication and authorization if you leave your work area.
  • Use a password protected screen saver that is set to run after 15 minutes of inactivity.   Turn off your monitor after 30 minutes.
  • Limit access to the device - Appropriate steps should be taken to physically secure the device and its storage media to prevent unauthorized access.
  • Network folder or file sharing capability should be enabled only if it is essential that others be able to access these folders or files on your workstation. Apply passwords and access rules to restrict access to shared folders and files.  In some instances, it may be appropriate to consider use of firewall programs to further protect workstations.
  • When creating local accounts, follow guidelines for selecting a strong password.
  • If the workstation is used to store or transmit highly confidential data, consider using file encryption techniques.
  • Consider having your administrator use anti-spyware programs to detect and remove programs that are designed to collected information and send it to someone else without your knowledge.

Data Integrity is the assurance that current values of data are as they should be and that there have been no unauthorized changes to the data.

  
  • Learn to recognize the programs and files on your workstation so you can identify programs, files, or events that are unusual.Keep files from unknown sources off the workstation - Accepting files from others by opening attachments, downloading files from web pages or peer to peer (p2p) networks, or other means can be risky. Each time a new file is presented, a judgment as to the reliability of the source should be made before loading it to the device.  If unsure, delete the file.Use HuskyPC recommended software versions and talk with your department administrator before installing other software.Keep the device's operating system(s) and applications software up to date
    • Run the latest service pack and the latest security patches labeled critical that are available from the Windows update site.  Use the Automatic Updates feature with a daily schedule to automatically download and install patches at a period the computer is most likely to be on.Review the lists of other updates available for your operating system and applications. Some updates will be applicable to your uses and other will not. Updates that correct security-related defects should be downloaded and applied.
    • Develop and maintain a list of sources of information about security problems and software updates for your system and application software. Many vendors maintain web sites to provide such information and provide mailing lists that send out information.  Check with your administrator to see if software management and distribution services are available from UITS.  If they are, use the services.

  • Identify the level of protection needed for files, directories, devices, and objects on the device and configure the computer's operating system(s) accordingly. Disable any unnecessary network, operating system or stand alone services or products. New computers general come with a range of network service software enabled by default. The more services that are enabled, the more opportunity there is for security exposure. Features that are not needed and products that are not going to be used should be turned off or deleted to reduce vulnerability. Network scans or software that identifies open services can be obtained from the security group to ensure that services have been configured correctly.If your workstation operating system provides firewall features use them and configure the firewall as your department suggests.  If your operating system does not provide firewall features, consider whether or not it may be appropriate to license firewall software for that workstation.
  • Use the University's anti-virus software.
    •
    • Use File System Realtime Protection (the current installation default), so that the software can constantly protect from malicious code.
    • Establish a daily schedule for the computer to retrieve and install new virus definitions and software updates.
    •  Create a schedule for scanning the full system for viruses at least once a month.
    • University ITS provides information on downloading and installing Norton Anti Virus software.  Use this (security.uconn.edu) as your source for anti-virus software to ensure that you are using the version fully supported by UITS.
    • When UITS provides the service, install the anti-virus software in the 'managed' mode to allow for the anti-virus policies to be applied automatically.  This also provides a way for Administrators to push definitions "on the fly" when significant risks occur. 
    • Watch for abnormal behavior of the anti-virus software.  Unusual actions, unexpected report lines, or changes in icons could indicate that a virus has impacted the software.

  • If scheduled scans and software updates are set to run at times while you must be away from your PC, make sure that your PC is turned on during that period.When allowed by your e-mail program, keep the inbox 'preview pane' closed to prevent certain types of malicious code from executing anytime that you select a new message.Configure email programs to not render html or other scripting languages.  Be suspicious of SPAM messages.  Responding to SPAM only confirms that an address is valid and often results in more SPAM messages.  Develop a routine process for disposing of SPAM.   
  • Be aware of the logging capabilities of your system and analyze the information for possibly security breaches (e.g. additions and deletions of files and directories, modification dates, etc.).

Data Availability is the assurance that data is available to authorized users when they normally expect to use it.
  • Backup files - A backup of the entire system should be created periodically. Backups of critical data files should be made as they are updated.
  • For most data, the frequency of backup and the number of retained backup generations should reflect the impact of losing the data.  The greater the impact of losing data, the more frequently it should be backed to minimize that loss.
  • Verify that backup files are stored securely.  They may be in a secure server location or a separate location on a CD or zip disk.
  • Periodically verify that backup copies can be used to restore lost or damaged data.
  • When defining data backup procedures, remember to copy routine files, e-mail address books, and internet "favorites" that may be difficult to recreate.
    •

Last updated on June 17, 2004