This document defines the baseline standards of care for Information Systems in use at Oregon State University. Baseline standards of care are system configuration and operational practices and procedures designed to protect the confidentiality, integrity, and availability of data housed on those systems.
These classifications are additive, meaning that a device needs to meet the standards of its classification level and those from any less restricted level also. Confidential information has the most restrictions, and unrestricted has the least. The classifications can be viewed here.
Access to Unrestricted Information: No restriction for viewing, copying or printing. Departments determine protocol for modification of information.
(systems utilizing an operating system designed specifically for mobile devices. Examples would include Android, iOS, Windows Phone, Firefox OS, Sailfish OS, Tizen, Ubuntu Touch OS, Blackberry)
Recommended: Current operating system with updates turned on.
To make sure that your iPhone has the most current operating system you’ll want to go into the Settings app and choose the General settings. Within that you want the Software Update menu. Then from within Settings > General > Software Update you can see if you have the current version or if there is an update available. If there is one simply follow its instructions to download and install it, which may require a restart your phone.
To make sure that your Android has the most current operating system you’ll want to go into the Settings app and choose About phone. Then under that you, select the Software Update menu. Then from within Settings > General > Software Update you can see if you have the current version or if there is an update available. If there is an update simply follow its instructions to download and install it, which will restart your phone.
When a software update is available for you to download, Microsoft will notify you so you can download it directly to your phone over a Wi-Fi or cellular data connection. (Your phone will need 3G or greater to download updates over a cellular data connection.)
Before you download and install an update:
Updates won't download if data settings on your phone prevent it. For example, both Data Sense and Battery Saver can limit how your phone uses data. To learn more, see Battery: making it last. (Not all mobile operators offer Data Sense.)
Windows Phone will let you know when new updates are available. If you check manually for an expected update and your phone appears to be up to date, it may be that it isn't available yet for your specific phone, mobile operator, or market.
Have a Lumia phone? Check out the Microsoft Mobile Devices website to see if there's updated software for your phone model.
Recommended: Patched and officially supported version of the operating system, current antivirus client, and user name and password required for all accounts.
To ensure that your operating system is up to date click on the apple icon in the upper left corner of your screen and select “About This Mac”. The following window will open up, in which you then click on “Software Update…”
This will then launch the App Store, where a software update will appear if there is one. Simply hit “Update” next to it to begin the update process. Be aware that this may require your computer to restart.
You can then check that it was successful by opening “About This Mac” again and seeing the new version listed.
To enable or update your password protection settings hit the apple icon in the upper left corner of your screen and select “System Preferences…”. This will open the window below, on which you then want to click “Security & Privacy”.
Within that you want to click on the lock icon in the bottom left corner of the menu, which will prompt you to enter your password, and unlock all of the options.
Now you can change your password, change the time before it’s required, and disable automatic lock.
If your computer is University owned it should already have System Center Endpoint Protection installed. You can manage the settings and preferences by clicking on the icon in the upper right corner of your screen.
If your computer is not university owned then simply purchase an antivirus software of your choice and follow their instructions to get it set up.
There is one thing to understand about updating Linux: Not every distribution handles this process in the same fashion. In fact, some distributions are distinctly different down to the type of file types they use for package management.
We will cover the Ubuntu and Fedora systems using both the GUI as well as the command line tools for handling system updates.
Ubuntu uses two different tools for system update:
Figure 1: Ubuntu Update Manager.
The Update Manager is a nearly 100% automatic tool. With this tool you will not have to routinely check to see if there are updates available. Instead you will know updates are available because the Update Manager will open on your desktop (see Figure 1) as soon as the updates depending upon their type:
If you want to manually check for updates, you can do this by clicking the Administration sub-menu of the System menu and then selecting the Update Manager entry. When the Update Manager opens click the Check button to see if there are updates available.
Figure 1 shows a listing of updates for a Ubuntu 9.10 installation. As you can see there are both ImportantSecurity Updates as well as Recommended Updates. If you want to get information about a particular update you can select the update and then click on the Description of updatedropdown.
In order to update the packages follow these steps:
The updates will proceed and you can continue on with your work. Now some updates may require either you to logout of your desktop and log back in, or to reboot the machine.
Once all of the updates are complete the Update Manager main window will return reporting that Your system is up to date.
Figure 2: Updating via command line
Now let's take a look at the command line tools for updating your system. The Ubuntu package management system is called apt. Follow these steps to run it:
That's it. Your system is now up to date. Let's take a look at how the same process happens on Fedora (Fedora 12 to be exact).
Fedora is a direct descendant of Red Hat Linux, so it is the beneficiary of the Red Hat Package Management system (rpm). Like Ubuntu, Fedora can be upgraded by:
Figure 3: GNOME PackageKit.
Depending upon your desktop, you will either use the GNOME or the KDE frontend for PackageKit. In order to open up this tool you simply go to the Administration sub-menu of the System menu and select the Software Update entry. When the tool opens (see Figure 3) you will see the list of updates. To get information about a particular update all you need to do is to select a specific package and the information will be displayed in the bottom pane.
To go ahead with the update click the Install Updatesbutton. As the process happens a progress bar will indicate where GNOME (or KDE) PackageKit is in the steps. The steps are:
When the process is complete, GNOME (or KDE) PackageKit will report that your system is update. Click the OK button when prompted.
Now let's take a look at upgrading Fedora via the command line. As stated earlier, this is done with the help of the yum command. In order to take care of this, follow these steps:
Figure 4: Updating with the help of yum.
Your Fedora system is now up to date.
Username and password required for all accounts.
You can change/make a password with the “passwd” command in a terminal window.
Recommended: Patched and supported version of the operating system, current antivirus client, username and password required for all accounts.
Patches :In order to make sure your windows workstation is patched open up the start menu. In the search field type in “Windows Update” and click on the program
In here you will either see that Windows is up to date or what updates are available to be installed.
Supported versions: As of this writing, anything above windows XP is still supported by Microsoft. Windows Vista support will be dropped 4/11/2017
Windows 7: On Windows 7 to find out if you have antivirus installed click the start button and enter the control panel. Then click System and Security. There will then be an option to click “Review your computer’s status” in there you will be able to see if you have virus protection or not. NOTE: Some antivirus products don’t report themselves to windows. If you believe that you have antivirus installed simply search for it on your computer and make sure that it runs if it isn’t being reported to windows.
Required: Patched and supported version of the operating system, username and complex password required for all accounts, all unused services disabled, system dedicated to server functions only (no web browsing, etc.)
Required: Patched and supported version of the operating system, current antivirus client, login required by GPO, use of service accounts only, complex passwords with minimum length, system dedicated to server functions only (no web browsing, etc.)
Required Standards of Care for Sensitive Information includes all recommended and required standards for Unrestricted Information plus:
Access to Sensitive Information:Viewing and modification restricted to authorized individuals with a business need to know. Copying or Printing of Sensitive Information is limited to legitimate need, with copies limited to individuals with a business need to know.
Access to Sensitive Information is assigned by role pursuant to standards approved by the OSU Data Trustee
Required: Passcode required, lock screen enabled, notifications on locked screen disabled, device encryption enabled, data on removable devices (SIM, SD card, etc.) encrypted.
Recommended: factory OS intact (jailbreaking or rooting not allowed), Bluetooth file sharing disabled.
To set a lock screen and passcode perform the following steps. Open the settings app and then enter the security menu. In there select Screen lock. Choose anything other than “None” or “Swipe” this will both enable the lock screen and provide a sufficient passcode.
To disable notification on the lock screen enter the settings app and then tap on Sound & notification. In here scroll down until you find the Notification section. Tap on “When device is locked and switch to “Don’t show notifications at all”
Note: This only applies to devices running Android 5.0 (Lollipop) and above. Some older devices also support encryption but it will be device specific.
To encrypt your device open the settings app and tap on security. There will be an “Encrypt phone” option. Tap on this and then read through the information. Tapping the encrypt phone button will begin the encryption process.
To encrypt your sim card enter the settings app and then tap on Security. You will find a section called “SIM card lock” Tap this. In this menu tap Lock sim card. You will then be able to change the pin to your choosing.
To set or change your passcode go into the Settings app and select “Touchscreen & Passcode”. Within that hit “Turn Passcode On” to create one. Of you already had one you’ll be prompted to enter it first. When you choose to turn it on or change it you can choose which type of passcode you’d like. You can do the simple 4-digit numeric code, or opt for a more secure option of setting your own passcode of the length you choose. After setting your new password we recommend testing it out a few times to make sure you remember it.
To disable notifications on the Lock Screen simply toggle the “Notifications View” switch to deactivate it and any others you’d like turned off.
To encrypt the SIM go into the settings app, select Phone, and then SIM PIN. IMPORTANT: The PIN number is network provided and you should not activate the switch without already knowing the PIN!
Required: Passcode required,
Windows Phone 8
To set a time limit for the screen timeout, on the "lock" screen, tap the "Screen times out after" field, and then select the time limit you want.
lock screen enabled,
To see notifications when your phone is locked
To enable the encryption on a Windows Phone 8 or Windows Phone 8.1 device you first have to enable it within a "mobile device mailbox policy" on the Exchange server.
Perform the following steps on your Exchange Server:
Perform the following steps on your SMC Server:
Now you have configured everything on your Exchange and Sophos Mobile Control server to make sure a Windows Phone 8 device is using the built-in encryption functionality.
Please be aware that there won't be any progress shown indicating the encryption on the mobile device.
How to verify if encryption is turned on on the mobile device
data on removable devices (SIM, SD card, etc.) encrypted.
Recommended: factory OS intact (jailbreaking or rooting not allowed), Bluetooth file sharing disabled.
Required: Host-based firewall active, lock screen enabled, auto login disabled, unused services disabled, file and print sharing disabled, OS and applications configured for auto update unless centralized patch management is implemented by the cognizant OSU IT support team, password complexity enabled, remote access restricted.
Recommended: Gatekeeper enabled and configured to allow applications from App Store and Identified Developers only,
To turn the firewall on select “Security & Privacy” and click the Firewall tab. The click the lock in the bottom corner and enter your password to allow changes. Once that’s done you can select “Turn On Firewall” and the icon should turn green, indication it is now on.
To disable services you don’t need to launch upon startup, select the “Users & Groups” menu and uncheck any ones you don’t want.
To disable the sharing of devices and data, go to the “Sharing” menu and deselect any that may be turned on.
To configure auto-updates choose the “App Store” menu and make sure that “Automatically check for updates” is checked.
Under the “Security & Privacy” menu, in the “General” tab, make sure that the “Mac App Store and identified developers” radio button is selected.
Host-based firewall active,
iptables is a command-line firewall utility that uses policy chains to allow or block traffic. When a connection tries to establish itself on your system, iptables looks for a rule in its list to match it to. If it doesn’t find one, it resorts to the default action.
iptables almost always comes pre-installed on any Linux distribution. To update/install it, just retrieve the iptables package:
sudo apt-get install iptables
Firestarter , but iptables isn’t really that hard once you have a few commands down. You want to be extremely careful when configuring iptables rules, particularly if you’re SSH’d into a server, because one wrong command can permanently lock you out until it’s manually fixed at the physical machine.
iptables uses three different chains: input, forward, and output.
Input– This chain is used to control the behavior for incoming connections. For example, if a user attempts to SSH into your PC/server, iptables will attempt to match the IP address and port to a rule in the input chain.
Forward– This chain is used for incoming connections that aren’t actually being delivered locally. Think of a router – data is always being sent to it but rarely actually destined for the router itself; the data is just forwarded to its target. Unless you’re doing some kind of routing, NATing, or something else on your system that requires forwarding, you won’t even use this chain.
There’s one sure-fire way to check whether or not your system uses/needs the forward chain.
iptables -L -v
The screenshot above is of a server that’s been running for a few weeks and has no restrictions on incoming or outgoing connections. As you can see, the input chain has processed 11GB of packets and the output chain has processed 17GB. The forward chain, on the other hand, has not needed to process a single packet. This is because the server isn’t doing any kind of forwarding or being used as a pass-through device.
Output– This chain is used for outgoing connections. For example, if you try to ping howtogeek.com, iptables will check its output chain to see what the rules are regarding ping and howtogeek.com before making a decision to allow or deny the connection attempt.
Even though pinging an external host seems like something that would only need to traverse the output chain, keep in mind that to return the data, the input chain will be used as well. When using iptables to lock down your system, remember that a lot of protocols will require two-way communication, so both the input and output chains will need to be configured properly. SSH is a common protocol that people forget to allow on both chains.
Before going in and configuring specific rules, you’ll want to decide what you want the default behavior of the three chains to be. In other words, what do you want iptables to do if the connection doesn’t match any existing rules?
To see what your policy chains are currently configured to do with unmatched traffic, run the iptables -L command.
As you can see, we also used the grep command to give us cleaner output. In that screenshot, our chains are currently figured to accept traffic.
to deny all input connections and manually specify which ones you want to allow to connect, you should change the default policy of your chains to drop. Doing this would probably only be useful for servers that contain sensitive information and only ever have the same IP addresses connect to them.
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT
With your default chain policies configured, you can start adding rules to iptables so it knows what to do when it encounters a connection from or to a particular IP address or port. In this guide, we’re going to go over the three most basic and commonly used “responses”.
Accept– Allow the connection.
Drop– Drop the connection, act like it never happened. This is best if you don’t want the source to realize your system exists.
Reject– Don’t allow the connection, but send back an error. This is best if you don’t want a particular source to connect to your system, but you want them to know that your firewall blocked them.
The best way to show the difference between these three rules is to show what it looks like when a PC tries to ping a Linux machine with iptables configured for each one of these settings.
Allowing the connection:
Dropping the connection:
Rejecting the connection:
With your policy chains configured, you can now configure iptables to allow or block specific addresses, address ranges, and ports. In these examples, we’ll set the connections to DROP, but you can switch them to ACCEPT or REJECT, depending on your needs and how you configured your policy chains.
Note: In these examples, we’re going to use iptables -A to append rules to the existing chain. iptables starts at the top of its list and goes through each rule until it finds one that it matches. If you need to insert a rule above another, you can use iptables -I [chain] [number] to specify the number it should be in the list.
This example shows how to block all connections from the IP address 10.10.10.10.
iptables -A INPUT -s 10.10.10.10 -j DROP
This example shows how to block all of the IP addresses in the 10.10.10.0/24 network range. You can use a netmask or standard slash notation to specify the range of IP addresses.
iptables -A INPUT -s 10.10.10.0/24 -j DROP
iptables -A INPUT -s 10.10.10.0/255.255.255.0 -j DROP
Connections to a specific port
This example shows how to block SSH connections from 10.10.10.10.
iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -j DROP
You can replace “ssh” with any protocol or port number. The -p tcp part of the code tells iptables what kind of connection the protocol uses. If you were blocking a protocol that uses UDP rather than TCP, then -p udp would be necessary instead.
This example shows how to block SSH connections from any IP address.
iptables -A INPUT -p tcp --dport ssh -j DROP
As we mentioned earlier, a lot of protocols are going to require two-way communication. For example, if you want to allow SSH connections to your system, the input and output chains are going to need a rule added to them. But, what if you only want SSH coming into your system to be allowed? Won’t adding a rule to the output chain also allow outgoing SSH attempts?
That’s where connection states come in, which give you the capability you’d need to allow two way communication but only allow one way connections to be established. Take a look at this example, where SSH connections FROM 10.10.10.10 are permitted, but SSH connections TO 10.10.10.10 are not. However, the system is permitted to send back information over SSH as long as the session has already been established, which makes SSH communication possible between these two hosts.
iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -d 10.10.10.10 -m state --state ESTABLISHED -j ACCEPT
The changes that you make to your iptables rules will be scrapped the next time that the iptables service gets restarted unless you execute a command to save the changes. This command can differ depending on your distribution:
Red Hat / CentOS:
/sbin/service iptables save
List the currently configured iptables rules:
Adding the -v option will give you packet and byte information, and adding -n will list everything numerically. In other words – hostnames, protocols, and networks are listed as numbers.
To clear all the currently configured rules, you can issue the flush command.
lock screen installed/enabled,
auto login disabled,
1.Open /etc/profileand append TMOUTvariable. See my below example
ExportTMOUT=600 # 10 minutes in seconds
typeset -r TMOUT
This will set time-out to 600 sec(ie 10mins)and I have given typeset -rwhichread-onlyand will not allow users to change this.Save the file and exit.
2.By creating /etc/profile.d/sessiontimout.sh file then keeping above mention entries in it.
Export TMOUT=600 # 10 minutes in seconds
typeset -r TMOUT
Now save and exit the file
As this is a script we have to change the permissions too.
#chmod +x /etc/profile.d/sessiontimout.sh
How to accomplish this for individual users?
Ans :We can edit ~/.bashrc file as given below.
Open ~/.bashrc file for a given user and write below two line into it.
Save the file and source it as given below.
any unused services disabled,
check for unused services in init.d with ls /etc/init.d
systemctl list-unit-fileson systemd systems.
File sharing is disabled by default on most Linux OSs but if samba is installed you may disable it with sudo /etc/init.d/samba stop or sudo systemctl stop samba
OS and apps configured to auto update unless centralized patch management is implemented by the cognizant OSU IT support team,
See confidential section
Required: Host-based firewall active, lock screen enabled, auto login disabled, unused services disabled, file and print sharing disabled, OS and apps configured to auto update (or suitable alternative), remote access restricted.
To check if your firewall is active in windows enter the Control Panel and type in “Windows Firewall” Under the Control Panel section select Windows Firewall. You will then be presented with the present state of your Windows firewall. If you have a firewall provided by another antivirus product you will need to look up with that product how to check if your firewall is active.
To make sure the authentic windows login screen appears turn on requiring ctrl-alt-delete to be pressed. To do this Bring up the startmenu and go into control panel. Then click on user accounts, then again on user accounts. As an admin you will then be presented with the option to manage user accounts, click on this. Under the advanced tab you can then enable secure logon by clicking on the check box that says “Require users to to press Ctrl+Alt+Delete”
To disable autologin on a windows machine first open the start menu and then enter the control panel. Then in the Control Panel click on User Accounts. Again click on User Accounts and then Manage User Accounts. In this window if there is the option for autologin there will be a check box near the top of the screen with the text “Users must enter a username and password to use this computer”. Check this box to disable autologin. If this checkbox doesn’t exist autologin is already permanently disabled.
To disable file and printer sharing Go to Start > Control Panel > Network and Internet > Network and Sharing Center and click the link for Advanced sharing settings. On this page make sure to Turn off file and printer sharing. Also make sure to turn off public folder sharing and network discovery.
To enable windows autoupdating: Start> Control Panel > Turn automatic updating on or off (Under Windows Update). In here change the value to Install updates automatically
In order to change settings related to remote acces: Start > Control Panel > System and Security > System > Remote Settings. To Disable Remote assitance you can uncheck the box at the top and then also select “Don’t allow connections to this computer to disable Remote Desktop. If remote access is a must you must then select Allow connection only from computer running Remote Desktop with Network Level Authentication and then select the users that can use remote access, limiting selections to only those that need it.
Required: Remote access restricted, remote root login disabled, insecure connection services (Telnet, FTP, etc.) restricted, latest stable service software installed (SSH, TLS, etc.), host-based firewall active with unneeded traffic disabled (IPTables or equivalent), access lockout if available from off campus (fail2ban or equivalent), password age and complexity enabled, authentication and security logs enabled with logs retained for a minimum of one month (use of logrotate encouraged), specific logs for server application (mail, web server, dbase) enabled and retained, quarterly vulnerability scan performed and found vulnerabilities addressed. Transmission of sensitive information requires the use of TLS v 1.1 or higher.
Recommended: located behind physical firewall or equivalent device.
Required: Network Level Authentication for Remote Desktop Services (via GPO), Local admin account (and any other well known SIDs) disabled, host-based firewall active with unneeded traffic disabled, password complexity/age enforced by local or GPO, unused services disabled, automated security updates subject to GPO, auditing enabled and security and system logs retained for a minimum of one month, specific logs for server applications (exchange, mssql, etc.) enabled and retained, quarterly vulnerability scan and found vulnerabilities addressed. Transmission of sensitive information requires the use of TLS v 1.1 or higher.
Recommended: located behind physical firewall or equivalent device.
Access to Confidential Information:Viewing and modification restricted to authorized individuals with a business need to know. Copying or Printing of Confidential Information is limited to legitimate need, with copies limited to individuals with a business need to know, and must be labeled “Confidential.” A signed confidentiality agreement is required, both for accessing and viewing confidential information in any format.
Access to Confidential Information is assigned by role pursuant to standards approved by the OSU Data Trustee
Storage of Confidential Information on Paper or other physical media:Physical access to paper documents containing confidential information must be restricted to those who need the information to perform their responsibilities. Appropriate physical security, including door and cabinet locks, must be implemented.
Use of elevated privileges (administrative privileges) shall only be used when needed to perform an administrative task. Daily tasks must be performed using a normal user account.
Network Security:Systems housing or regularly accessing Confidential Information must be in isolated network segments, protected with a physical firewall or equivalent using a “default deny” rule set; firewall rule sets, including changes, must be approved by the Office of Information Security. An Intrusion Detection System (IDS) hosted by the Office of Information Security must monitor this segment. Systems within these segments cannot be visible to the entire Internet, nor to unprotected subnets. An inventory of systems authorized to be on that subnet will be kept and the subnet regularly scanned/monitored for unauthorized systems. The Office of Information Security will perform authenticated vulnerability scan of these networks quarterly and will inform cognizant support teams of scan results requiring corrective action; vulnerabilities will be addressed during the next normal patching cycle unless other remediation is established or an exception granted.
Transmission of Confidential Information: Under no circumstances shall Confidential Information be transmitted across an unsecured network in clear text. In particular, it should be noted that email is not by default an encrypted means of transmission and any Email containing confidential information is subject to this restriction.
For the occasional transfer of data via email, file attachments should be encrypted using, at a minimum, an 128-bit symmetric-key algorithm, such as the Advanced Encryption Standard (AES). Microsoft Office encryption meets this standard. Key (password) sharing must be through a different mechanism than that used for transmission, such as a phone call.
For departments that have a business need to transfer confidential information on a regular basis via email, the use of a program that utilizes both symmetric and asymmetric key encryptions, such as PGP or equivalent, is strongly recommended.
Required: University-owned device, Locked screen after 5 minutes of inactivity, long passcode, 256-bit symmetric-key device encryption, device must wipe data after 10 failed attempts, the device should have a durable physical or electronic label (or appearing on the lock screen) with contact information sufficient to facilitate an expedient return in the event that a lost device is found, use of sandboxed OS/desktop or sandboxed app for accessing the data or other similar means where the data is never stored on the mobile device, SIM card lock/PIN, location services off, disable cloud synchronization for passwords and data, syncing and backup to university-owned machines only, remote wipe enabled, use of public wireless networks prohibited.
Simply toggle the “Erase Data” switch.
To turn off Location services select the “Privacy” menu in the Settings app. Then hit “Location Services” at the top of that menu. Then simply toggle the switch to turn off all location services.
In order to set your lock screen timeout launch the settings app. Then tap Display. In display you can set the Sleep setting. This must be after 5 minutes or less.
This functionality is not built into android. However some devices like the samsung galaxy S5 have this built in but any device can install the app Locker and set it up to wipe after failed logins with the following tutorial http://nexus5.wonderhowto.com/how-to/make-your-android-auto-wipe-your-data-when-stolen-0157407/
To turn off location services enter the settings app and then Tap Location. You will be presented with a screen with a toggle on top. Toggle to off to disable location on the device.
To turn off cloud syncronization on an android device open the settings app and then tap on Backup & reset. In here you can tap on “Back up my data” and turn it to off in order to disable the synchronization.
Following the instructions at :https://support.google.com/accounts/answer/3265955?hl=enyou can use Android device manager to setup and manage remote wiping of your device
256-bit symmetric key encryption: Android encryption currently only support 128-bit encryption (https://source.android.com/security/encryption/)
Required: University-owned device,
long passcode, 256-bit symmetric-key device encryption
device must wipe data after 10 failed attempts,
the device should have a durable physical or electronic label (or appearing on the lock screen) with contact information sufficient to facilitate an expedient return in the event that a lost device is found,
use of sandboxed OS/desktop or sandboxed app for accessing the data or other similar means where the data is never stored on the mobile device,
To turn on SIM security
To turn location services on or off
disable cloud synchronization for passwords and data,
syncing and backup to university-owned machines only, remote wipe enabled, use of public wireless networks prohibited.
Enabled with exchange
Required: University-owned device, 256-bit symmetric-key full-disk encryption (FileVault or equivalent), Locked screen saver after 15 minutes of inactivity, all sharing disabled, infrared port disabled, remote management for authorized accounts (OSU IT) only, Firmware password, remote access restricted, use of administrator account for day-to-day access prohibited, require administrator password to access system preferences and install software, password complexity and length (min. of 14 characters), password rotation, Quarterly vulnerability scan and found vulnerabilities addressed.
To require the admin password select the “Advanced…” button at the bottom of the “Security & Privacy” page and check the box for it. Do the same for the automatic logout, and be sure to set it to at most fifteen minutes.
Required: University-owned device, 256-bit symmetric-key full-disk encryption
Remote access restricted
Generate a passphrase-protected SSH key for every computer that needs to access the server:
Permit public-key SSH access from the allowed computers:
Copy the contents of ~/.ssh/id_rsa.pub from each computer into individual lines of ~/.ssh/authorized_keys on the server, or run ssh-copy-id [server IP address] on every computer to which you are granting access (you'll have to enter the server password at the prompt.)
Disable password SSH access:
Open /etc/ssh/sshd_config, find the line that says #PasswordAuthentication yes, and change it to PasswordAuthentication no. Restart the SSH server daemon to apply the change (sudo service ssh restart.)
Now, the only possible way to SSH into the server is to use a key that matches a line in ~/.ssh/authorized_keys. Using this method, I don't care about brute force attacks because even if they guess my password, it will be rejected. Brute-forcing a public/private key pair is impossible with today's technology.
Never login as Root, always use sudo for anything that requires administrative access.
require administrator password to access system preferences and install software
password complexity and length (min. of 14 characters)
To change your password in Linux execute the following command:
To require password changes every 180 days (6 months) you can run this command on any Linux machine.
sudo chage -M 180 [username]
Install Lynis and run a check on the system, address all warnings and errors. Adhere to all of the suggestions at the end of the report.
Required: University-owned device, 256-bit symmetric-key full-disk encryption (Bitlocker or equivalent), locked screen saver after 15 minutes of inactivity, all sharing disabled, infrared port disabled, centralized remote management for authorized accounts (OSU IT) only, BIOS password, remote access restricted, use of administrator account for day-to-day access prohibited, require administrator password to access system preferences and install software, password complexity and length (min. of 14 characters), password rotation, Quarterly vulnerability scan and found vulnerabilities addressed.
The recommended way to encrypt a windows machine is with Bitlocker. If you are using a Professional version of Windows Bitlocker is included in Windows.
To see if you have bitlocker already search for “Bitlocker” in the startmenu. If it is there click on it. You will be brought to a page where you can turn on bitlocker for any particular drive.
clicking turn on bitlocker will begin the process of encrypting the drive.
To turn on a locked screensaver after 15 minutes perform the following steps.
Open the start menu and go to the control panel. Go to Appearance and Personalization and the Personalization. Then click on screensaver in the bottom right
To disable all sharing on windows follow the same steps as for disabling file and printer sharing on windows but also in the same window turn off public folder sharing and media streaming.
Enabling a BIOS password on a machine is different for every bios. But in order to get to those settings you have to convince windows to let you boot into the BIOS. To do this typically you need to be pressing F2 during boot although the key could change based on the manufacturer.
After clicking there you will be presented with options. Make sure to select the time to be 15 minutes and make sure to check the box that prompts for a login when resuming.
Virtual Server Environments: All security controls apply both to the host and guest virtual machines in a virtual server environment. Cannot share the same virtual host environment with guest servers of other security classifications.
Physical Security: Must be hosted in a secure Data Center with Physical Access monitored, logged and limited to authorized individuals 24x7.
Backup Media:All backup media must be encrypted. If stored off-site, a secure location is required.
Linux (or similar), OS X:
Required: Field level encryption for protected fields in database, removable back-up media encrypted using 256-bit symmetric-key encryption, monthly authenticated vulnerability scans performed by Office of Information Security, authentication and security logs retained for six months and made available to Office of Information Security, found vulnerabilities addressed within normal maintenance windows or sooner (based on criticality,) annual security audit. Transmission of confidential information requires the use of TLS v 1.2 and cannot use self-signed certificates.
Recommended: system administrators must possess enterprise-level certification, or an equivalent combination of training and experience, for the operating system version in use. Host-based software IDS/IPS.
Required: Field level encryption for protected fields in database, removable backup media encrypted using 256-bit symmetric-key encryption, use of Best Practice Analyzer, security and system logs retained for six months and made available to Office of Information Security, monthly authenticated vulnerability scans performed by Office of Information Security, found vulnerabilities addressed within normal maintenance windows or sooner, based on criticality, annual security audit. Transmission of confidential information requires the use of TLS v 1.1 and cannot use self-signed certificates.
Recommended: system administrators must possess enterprise-level certification, or an equivalent combination of training and experience, for the operating system version in use, host-based software IDS/IPS.