ECS is very security conscious and enforces procedures beyond what other IT shops on campus impose. One result is that the ECS staff has spent much less time than other IT staff recovering from security breaches. Because the number and intensity of break-ins (mostly on Windows computers) continue to increase, new security precautions will, no doubt, be instituted as necessary. Self-administered machines are subject to some additional restrictions as noted below. Here are some of the measures we use to improve the safety and availability of the computing environment in the College of Engineering.
- Long passwords. Passwords must be at least 9 characters long.
- Block email known to contain a virus or suspected as spam. When ECS knows of an alert about a specific virus being spread via email, messages from offending addresses are rejected. Mail sent from known spam sites is rejected and not delivered.
- Change email attachment names. Email attachments that have an extension that is known to be problematic (associated with the spread of a virus) are renamed to filename.ext.virus-scan-me.virus-scan-me. Messages identified as being infected are put into a mail folder called Virus_Quarantine and any attachments to such messages have a suffix “I-AM-A-VIRUS.I-AM-A-VIRUS". For details about this service, read Dealing with Viruses.
- The college has made available the virus-scanning software Symantec Endpoint Protection. It scans files as well as provides anti-spyware protection. On administered computers, go to Start | Symantec Endpoint Protection | Symantec Endpoint Protection to see the status of your computer, change the scan settings, or view a list of quarantined files. To scan a directory or file, set up a custom scan.
- Authenticate before sending mail if on non-secure network. You must authenticate with a secure connection to the mail server to receive and send email. This requirement keeps people outside our network from using your computer to relay mail from and to other sites.
- Connect with secure (SSH) connection. You cannot use telnet or rlogin to connect to a computer on the engineering network because those two protocols are not secure. You must connect with an SSH (Secure SHell) connection, either SSH2 (more secure) or SSH1.
- Limit incoming traffic on some networks. Self-administered machines that are not servers cannot receive incoming traffic. To run a server on a less secure network you must apply using the Server Request Form and agree to manage the computer in a way that maintains its integrity and security.
- Since December 2010, connections using Remote Desktop must be secure. You can use the Connect2 VPN to create a secure connection before launching Remote Desktop.
What You Can Do about Security
ECS runs a network that is as secure as reason and requirements allow. Most actions that make a computing environment secure are things that individuals do, not the efforts of the system administrators. Here are several things that users can do to maintain security.
- Don’t leave passwords visible. If you must write down account passwords, do not leave those passwords where they are visible to others.
- Don’t tell others your password(s). Passwords are meant to protect the information you have access to. If you have access to confidential data from a University, departmental, or private database, that confidentiality can be compromised by giving another person access to your account by sharing your password.
- Screen lock your computer when you walk away from it. Locking your screen when you leave your computer unattended prevents others from using your computer account. On a Linux workstation, select Leave | Lock from the K/Start menu to lock your workstation. On a Windows computer, press Ctrl + Alt + Del and select Lock Workstation.
- Log off or lock your computer at end of day. Just as you lock your screen when walking away from your computer during the workday, doing so at night is as important. One advantage to logging off when you leave is that on ECS-administered machines, ECS installs remotely (without being on your computer) operating system patches, and new versions of virus scanning files and software. This work, typically done on weekends late at night, proceeds more quickly and smoothly if you are not logged into your account.
- If your computer is self-administered, you are responsible for providing much of the security that ECS provides for ECS-administered machines. Regularly update the virus definition file; install software patches as necessary; pay attention to information about security holes in the operating system you use. If ITS or ECS finds that a self-administered machine has been compromised, it will be disconnected from the network until the administrator has fixed the problem.
- When working remotely, use a secure connection to get to your files. Use FileZilla to transfer files or Connect2 VPN to view and transfer files.