Chapter 7: Security Checklist

  • Article

Computer and online security is a growing concern for all computer users, and is especially important if you provide public access to shared computers. Security issues often seem complicated and overwhelming, but fortunately there are some relatively simple steps that you can take to improve the security of your shared computer environment.

On This Page

Setup Checklist
Maintenance Checklist (Monthly)
Toolkit Administrator Security
Physical Network Security
Physical Security
BIOS Protection
Software Updates
Firewalls
Antivirus Software
Antispyware
Web Filtering

Setup Checklist

Perform the following checks and steps during configuration and installation of the Microsoft® Shared Computer Toolkit for Windows® XP to ensure the best possible security for your systems:

Checkbox Set a strong administrative password or passphrase.

Checkbox Visually differentiate the administrator accounts from limited user accounts.

Checkbox Remove the Toolkit administrator account from the Welcome screen.

Checkbox Physically secure computers by keeping them in view, locking the cases, and physically marking them.

Checkbox Lock down the system BIOS

Checkbox Download and install all critical updates

Checkbox Audit physical network security

Checkbox Use a firewall

Checkbox Install antivirus software

Checkbox Install antispyware

Checkbox Install and configure Web filtering software

Maintenance Checklist (Monthly)

Check the following items monthly to ensure continued security:

Checkbox Change administrator passwords

Checkbox Visually inspect computers for signs of tampering

Checkbox Audit physical network security

Checkbox Check for updates to Windows and other installed software

Checkbox Maintain antivirus updates (if not automated)

Checkbox Maintain antispyware updates (if not automated)

The following sections describe in more detail each of these checklist items.

Toolkit Administrator Security

  • Use a strong password. Any administrative account on a shared computer, including the Toolkit administrator account, should have a strong password. Avoid practices such as using a common dictionary word, basing a password on your name, or using a common password such as “password” or “letmein”. Also avoid using a blank password for the Toolkit administrator account. A strong password is:

    • Long. Passwords should be at least eight characters long, and longer is better. For the Toolkit administrator password, consider using a password that is at least 15 characters long for enhanced password security.

    • Complex. Passwords should use a combination of lower-case and upper-case letters, numbers, and symbols (for example, ` ~ ! @ # $ % ^ & * ( ) _ + - = { } | [ ] \ : " ; ' < > ? , . / or a space character).

  • Use a passphrase instead of a password. In Windows XP, you can use a passphrase instead of a password. Passphrases can be long, complex, and easy to remember. Just make sure that you still use the same strong password rules mentioned previously. An example of a passphrase is “I taught my 3 old dogs 6 new tricks!”

  • Change the password regularly. Change passwords regularly and make them different from previous passwords. Just adding a number to the end of your regular password is not different enough. You should change administrative passwords quarterly, if not more frequently.  

  • Visually differentiate the Toolkit administrator account from other accounts. Make it easy to determine at a glance if a user is logged on with the Toolkit administrator account. Use a different desktop background and even a different color scheme for menus and windows. If your shared user accounts use the Classic Start menu (as is recommended), you could have the Toolkit administrator account use the Windows XP Start menu.

  • Remove the Toolkit administrator account from the Welcome screen. Use Getting Started or the Welcome.wsf tool to remove the Toolkit administrator account from the Windows Welcome screen. At the Welcome screen, press CTRL+ALT+DEL to access the traditional logon dialog box, in which you can type the account name and password.

Physical Network Security

  • Audit physical network security. Make sure no unidentified computers of devices are attached to your network or can be easily attached to your network. Packet sniffers and rogue servers can be used to penetrate your network, compromising your computers and your data.

Physical Security

  • Keep computers visible. If the shared computers are intended for public access, make sure that you can see what users are doing. Although it is usually inappropriate to look over a user’s shoulder during a session, you should at least be able to see whether the user is trying to open the computer case.

  • Lock computers. Use locks on computer cases to ensure that users cannot open them. This prevents users from being able to open the case to add or remove components, or install monitoring devices. Use locks to keep computers and other devices attached to their tables or desks. Use an optical mouse so that users cannot take the mouse ball. Also, if you provide headphones to users, secure the headphone cable to the computer case to help prevent theft or vandalism.

  • Perform regular inspections. After a user finishes using a computer, inspect the computer and peripherals for any signs of tampering. Some monitoring devices attach to a parallel port, USB port, or inline with a keyboard cable.

  • Mark computers. Consider using an etching tool to mark the inside of computer cases with information that identifies the computer and your organization. Also record the model and serial numbers of computers and peripherals.

BIOS Protection

  • Update the BIOS. Ensure that your shared computer is running the latest BIOS version available from the manufacturer of the computer before you install Windows XP.

  • Password protect the BIOS configuration. This protection requires that a user enter a valid password to access the computer’s BIOS setup screens.

    Important Important
    If an untrusted user can start your computer from removable media, the computer can be modified by anyone and become untrustworthy. BIOS protections are critical security measures.

  • Prevent startup from removable media. In the BIOS setup screens, disable the options that allow the computer to start from a CD-ROM, floppy disk, or removable USB drive. This will help ensure that users cannot start the computer with an alternate operating system and make changes to the computer.

  • Use startup passwords if available. On some computers, the BIOS offers the ability to password protect starting of the computer from certain drives (most BIOS refer to this as a “boot” password). For example, you might be able to require a password for someone to start the computer using the floppy drive, CD-ROM drive, or even the hard drive. If you do not want to disable starting from removable devices, consider using a startup password. If a user can start using their own disk, they can usually circumvent any security measures you have in place.

Software Updates

  • Enable critical updates in Windows Disk Protection. Use the Windows Disk Protection tool to enable critical updates and schedule regular updates. For more information, see the "Critical Updates" section in Chapter 6, “Windows Disk Protection.”

  • Check for updates with EULAs. Routinely (at least once a month) check for critical updates that require users to accept a EULA. Accept the EULA manually, and then save the changes to disk using Windows Disk Protection.

  • Check for recommended updates. Visit the Microsoft Update Web site monthly to check for recommended updates to Microsoft software.

  • Update other software. Manually check for updates to third-party software. You should perform this check at least monthly.

Firewalls

  • Use a perimeter firewall. Perimeter firewalls protect an entire network, blocking all traffic that isn’t explicitly allowed between the Internet and a local network. Firewalls can also hide the addresses of the computers behind your firewall, making individual computers on a local network invisible to the outside. A perimeter firewall might be a piece of hardware that you plug into your network or a program like Microsoft Internet Security and Acceleration (ISA) Server.

  • Use a local firewall. A local firewall is a program that you install on a computer to block unsolicited traffic coming into (and sometimes going out of) that computer. Windows XP with Service Pack 2 (SP2) comes with a local firewall called Windows Firewall that is enabled by default when you install SP2.

Antivirus Software

  • Install reputable antivirus software. Antivirus software scans the contents of incoming e-mail messages, downloads, and files already on your computer, to detect virus signatures. If the software finds a virus, the software deletes or quarantines it.

  • Update the antivirus software regularly. Because hundreds of viruses are released each month, antivirus software must be updated regularly with the latest signature definitions and scanners so that the software can catch the latest viruses. If you use Windows Disk Protection, you can use a script to download and install updates to antivirus software and save those changes to disk automatically as part of the critical updates process.

Antispyware

  • Install reputable antispyware software. Antispyware software regularly scans the shared computer for spyware that has been installed. Some antispyware software has components that run in the background to help detect spyware before it is installed or makes changes to the computer.

    Note Note
     Some antispyware programs will warn about the operation of certain aspects of the Shared Computer Toolkit. These messages are expected and are discussed in Chapter 8, "Troubleshooting."

  • Update the antispyware software regularly. As with antivirus software, you must keep antispyware updated so that it can detect the latest spyware threats. Although the Toolkit does not include scripts that you can use to update antispyware software, you can use the techniques discussed in Chapter 6, “Windows Disk Protection,” to update antispyware software and save the updates to disk.

Web Filtering

  • Consider installing Web-filtering software. Many companies offer products that filter Internet use based on a variety of criteria. Typically, these services are much more robust than the built-in Content Advisor in Internet Explorer. You can learn more about software vendors by browsing the Content Filtering category at the Windows Marketplace.