Home » Security for IT Professionals » Hardening Your System » Securing Workstations

Securing Workstations

General Security Practices For All Systems

Eliminate all extra services.

Only allow services to run on your machine that you absolutely need. For example, unless you have a reason to have a web server on your host, do not install or turn one on. Also, remove any demonstration copies of software that came with your operating system. Know what services should be running on your host.

Know who logs in to your system.

Be aware of all people who log in to your system and log all of their activities. Take time to carefully plan groups and their permissions. Only grant access rights that users need to perform their duties.

Use good passwords.

Do not use words from a dictionary, names, common phrases, etc. Do use combinations of lower and upper case letters, number, special characters, etc.

Safeguard passwords.

Do not write down your password for others to see, do not include it in email correspondence, and do not tell anyone else your password.

Change passwords often.

Important: Require users on your systems to change their passwords every 90 days.

Password protect your screen saver.

This can prevent unauthorized people from getting access to your system.

Keep your system updated.

Apply patches, fixes, and service packs, when available. Keep your systems upgraded to the latest versions of software.

Virus Protection

Every campus machine should be running some type of virus protection. Faculty and staff should check with your department to see if virus protection software is provided for you. You can also check the Software Evaluation and Licensing Library, which provides McAfee VirusScan, along with many other software products. If you are a student, McAfee VirusScan is provided at no charge at software.tamu.edu.

Here are links to some vendors that provide virus protection software:

Many other vendors also provide antivirus products. No matter which product you choose, the most important thing to remember is to keep your virus signatures updated! Virus protection does not help if the software is not aware of the latest threats.

Encryption

Data passing through most network traffic is not encrypted. This includes traffic that may contain your account name and password. When logging in to a remote system using utilities such as telnet or ftp, your account name and password are sent over the network in plain text. Resolve this issue by encrypting all traffic between your host and a remote host.

Use the following utilities for protecting traffic:

SSH - Secure Shell. This is similar to telnet, but provides strong authentication and encryption.
Clients:

  • PuTTY - available for Win32 platforms and has an xterm terminal emulator.

SCP and SFTP - Secure Copy and Secure File Transfer Protocol. This is similar to ftp, but encrypts all file transfers.
Clients:

  • WinSCP - Secure Copy client for Windows 95/98/NT/2000/XP/ME
  • PuTTY - available for Win32 platforms and has an xterm terminal emulator.

SSL - Secure Sockets Layer. This is a protocol mainly used for securing http traffic.
Implementations:

  • OpenSSL - Open Source implementation of SSL
  • Apache-SSL - A secure web server based on Apache and OpenSSL

VPN - Virtual Private Network. This is available if you are connecting to campus from off campus (outside the campus firewall) and want all traffic encrypted. More information and VPN clients can be found at the Networking and Information Security VPN page.

Specific Operating System Preventions

Each operating system has different and specific vulnerabilities and preventions. The following provides information and links on each system to help keep your system secure.

For future information and discussion on vulnerabilities and patches for all operating systems and the applications that run on them, join the Bugtraq Mailing List from Security Focus.

Windows

Personal Firewalls - These provide protection for your system from intrusions and attacks. These firewalls can be configured to block certain types of traffic from reaching your host. More information about these firewalls, and how to configure them, can be found at their sites:

Microsoft Baseline Security Analyzer - MBSA performs local or remote scans of Windows systems and looks for missing hot fixes and vulnerabilities.

Windows Update - Windows Update scans your computer and provides you with a selection of updates available for your machine.

NTBugtraq Mailing List - This mailing list is used for discussion of security bugs found in Windows NT, Windows 2000, and Windows XP and their related applications.

Unix

Tiger - This program was written at Texas A&M to provide security checks for Unix systems.

Logdaemon - These replacement daemons provide better access control and logging capabilities than those that normally come with Unix systems (rlogin, rshd, login, telnetd, etc.).

Wrapper Scripts - These scripts written to "wrap around" other non-secure applications provide secure communication.

Linux

Bastille Linux - The Bastille Hardening System attempts to secure the Linux operating system.