Return to: U of M Home
Gold University of Minnesota M. Skip to main content.University of Minnesota. myU | One Stop | Directories | Search U of M  
Driven to Discover.

What's Inside OIT

links related to OIT

1-HELP

System Status

University of Minnesota

STANDARDS & GUIDELINES


     

GUIDELINE—Windows XP/2000 Desktop Computer Basic Security Guidelines (Appendix K)

Responsible Office: Office of Information Technology
Responsible Officer: Chief Information Officer

EFFECTIVE DATE: February 2004
VIEW HISTORY
RELATED POLICY/PROCEDURE:
Securing Private Data

GUIDELINE
A guideline is highly recommended.


Contents

Introduction

Required Steps

  1. Assign a strong Administrator password
  2. Remove File and Print Sharing
  3. Activate or install a software firewall
  4. Install security patches
  5. Set up automatic installation of patches
  6. Install and immediately update Anti-Virus software

Steps 2-5 have been automated with the QuickStart tools, see https://www.quickstart.umn.edu/

Additional Steps (depending on environment):

Appendix

Introduction

This document was prepared as a guideline for securing Windows 2000 Professional and Windows XP Professional computer systems that are not supported by departmental technical staff. While this document focuses on new Windows 2000 and Windows XP computer systems, the steps listed can be performed on existing computers with few changes. If you have technical staff, ask them if the steps below are appropriate for your environment.

Note: When ordering a computer, be sure to order Windows XP Professional version with the NTFS file system. Windows XP Home Edition and the FAT32 file system do not have the security features needed. For information on converting, see the Appendix of this document.

A New Computer, Just Arrived From the Vendor

IMPORTANT: Before connecting a new Windows computer to the University network, you must perform the first three steps below.These steps are important because your new computer is quite vulnerable to computer viruses and worms that can infect it through the network before you have a chance to install the necessary patches.

The remaining steps should be performed before using the computer for daily tasks such as reading/sending e-mail, Web browsing, data entry, etc. If you need to leave the computer for a period of time in the middle of performing the remaining setup steps, you should turn it off or remove the network connection until you get back.

Required Steps BEFORE plugging into the network:

1. Assign a strong Administrator password

When first turning on a Windows 2000 or Windows XP machine, one of the first steps that you should be asked to perform is to assign a password for the Administrator account. Assigning a difficult-to-guess password is an important step in protecting your computer from unauthorized (mis)use. If you have questions regarding what a "strong" password is, see http://www.umn.edu /oit/security/passwordguide.html.

2. Completely remove File and Print Sharing (or else mitigate the risk)

By default, your Windows 2000 or Windows XP workstation is configured to act like a File and Print Server. This means, other people can connect to your computer and access the files that are stored on it. They can view the files, and if they want, delete the files. All they need to do is guess the password, or use a program that tries a list of thousands of passwords. If you need to share files with others, the preferred method is using a departmental file server that is maintained by an IT Professional or copying to a CD rather than using Windows File and Print Sharing.

Printer Sharing is defined as allowing others to use a printer that is physically connected to your computer, such as via a USB cable. Most networked printers are connected directly to the network, and therefore most people do not need Microsoft Printer Sharing.

To remove File and Print Sharing from your computer:

  • Go into the Control Panel (Click the Windows Start button and choose Settings, then Control Panel)
  • Double click Network Connections (sometimes labeled Network and Internet Connections)
  • Highlight any network connection (Typically there is one labeled "Local Area Connection")
  • Choose Properties from either the File menu or from the menu presented when you right-click on the connection
  • Highlight "File and Print Sharing"
  • Click "Uninstall"
  • Click OK a couple of times, and your computer is significantly safer from network-based intrusions.

If you must run File and Print Sharing on a Windows 2000 or Windows XP computer, then you must take several additional measures to prevent unauthorized users from accessing the shared resources. These measures are listed in the Appendix of this document. Note that it is simple to add File and Print Sharing back onto your computer in the future if needed. The steps are listed in the Appendix of this document.

  3. Activate or install a software firewall

If you are using Windows XP, you should activate the built-in Windows XP "Internet Connection Firewall" or the "Windows Firewall" to help protect your computer from network attacks. Information can be found in the Appendix as well as at:

If you are using Windows 2000, a commercial software firewall such as ZoneAlarm (free for personal use) or Symantec (licensed for U students, faculty and staff) is highly recommended and will provide protection from many network-based attacks. The Symantec Firewall can be downloaded at http://www.umn.edu/adcs/software/security/.


If a firewall is not installed or activated at this point, then installation of the most recent Microsoft Service Pack and subsequent hotfix security patches from CD (or other media) will be necessary instead of step 4 below. Download and burn a CD on another machine or call 1-HELP (1-4357) and get a "Security patch CD".

Now plug the ethernet cable from your computer into the network and complete the following steps:

4. Install security patches

It is University policy that all computers connected to the University network are required to have critical security patches installed within 60 days of release by the vendor. See http://www.umn.edu /oit/security/updates-patches.html.

Once a firewall or software is activated in the step above, security patches can be installed by going to the Microsoft Windows Update site at http://windowsupdate.microsoft.com. Check for updates and install any Critical Updates identified as missing. Reboot your computer if asked to do so, go back to Windows Update and install Critical Updates repeatedly (not all of them can be installed at once) until there are zero Critical Updates listed. Note that Windows Update provides various optional patches and driver updates that are listed in addition to the Critical Updates. Installation of such software should only be done if you have a good reason to do so.

  5. Set up automatic installation of patches

Unless you have another plan for patching this computer, configure Automatic Updates to automatically keep your computer up-to-date with patches in the future. Note that when enabled, the default settings require someone with Administrative-level access to be logged in to install the patches. However, it can be configured to download and install them in the background, at a certain time and day of the week.

To configure Automatic Updates:

  • Go into the Control Panel (Click the Windows Start button and choose Settings, then Control Panel)
  • Choose "System" (or "Performance and Maintenance", then "System")
  • Click on the tab at the top that says "Automatic Updates"
  • Make sure the checkbox next to "Keep my computer up to date..." is checked
  • Select "Automatically download the updates and install them on the schedule that I specify"
  • Choose a time when the computer is turned on and someone is logged on.

Periodically (perhaps monthly) check to make sure the process is working by visiting Windows Update to check to see if the computer is up to date with critical updates.

6. Install and immediately update antivirus software

It is University policy that all computers connected to the University network are required to have working antivirus software installed on them and that the antivirus software must be kept up-to-date. See http://www.umn.edu/oit/security/Anti-virusstandard.html.

Fortunately, licensed software is available free of charge to all students, staff, and faculty on all campuses of the University for University owned computers and also for one personal machine. When properly installed, configured and updated (see recommendations below), this product provides significant protection against many (but not all) threats that computers are exposed to.

The antivirus software can be obtained at the following Web page: http://www.umn.edu/adcs/software/security/. After installing the antivirus software, run LiveUpdate to get the latest virus definitions from Symantec.

To manually run LiveUpdate:

  • Click on the shield icon in the bottom right corner of your tool bar or navigate through the Start menu (Click the Windows Start button and choose All Programs, Symantec Client Security and then Symantec Antivirus Client)
  • Click the LiveUpdate button.
  • Click Next to begin downloading virus definitions.
  • Once done, you will see the results of the update. Click Finish.

It is highly recommended that you take advantage of the antivirus software's ability to automatically update. See Appendix for instructions.

You should also check periodically to make sure the virus definition files are, in fact, being updated to ensure that the update process hasn't broken. The main window of Symantec AntiVirus Corporate Edition shows the date of the virus definition file. It should never be more than one week old.

Additional Steps (depends on environment):

  • Securing private data
    Computers that store non-public data must also meet or exceed the requirements in the Securing Private Data Standard. See http://www.umn.edu/oit/security/privatedata.html.
  • Backup your data
    Periodically you need to backup your data. (Hint: Most of your data is in the My Documents and Application data folders.) The physical security of the removable media should be maintained and plans made to allow recovery from unexpected problems. Options include backing up to a departmental file server, to a CD, or to an externally attached tape drive. Another option is to backup through the network. See https://www.umn.edu/cco/udms/netbackup/.

    For additional steps to secure your desktop, see Microsoft s Security site at http://www.microsoft.com/security/.
  • How to Run as User

Avoid running as Administrator.  For information on how to sysadmin your computer while running as user, see http://safecomputing.umich.edu/events/download/RunAsUser_sumit_05.pdf (PDF).

As indicated by your department policy, password protected screen saver may be required. The screen saver should display within a reasonable timeframe. This can help prevent unauthorized persons from using your computer while you are away from it. To set a password-protected screen saver:

  • Right click on a blank part of the Windows desktop area
  • Choose "Properties" then "Screen Saver"
  • Select a screen saver (from the drop down list) to use

Select how many minutes of inactivity to wait before it turns on, and make sure to check the box labeled "On resume, password protect" This will require you to enter your Windows password before using your computer again.

Appendix

Microsoft Campus Agreement for Upgrades

If you ordered Windows XP Home Edition as opposed to Windows XP Professional, you should upgrade University owned machines for free using the Microsoft Campus Agreement that has been purchased by the University. For details on the agreement and to obtain the Windows XP Professional software, please visit http://www.umn.edu/ucs/Microsoft/CampusAgreement.php.

File and Print Sharing Risk Mitigation

If you must run File and Print Sharing on a Windows 2000 or Windows XP computer, then you must take adequate measures to prevent unauthorized users from accessing the shared resources. Measures include: (Note: Some of these links do not mention Windows XP, yet they do work on Windows XP.)

Note that not all of the above will work in every situation. However, if you need to leave File and Print Sharing turned on, you must take as many of the above mitigation steps as possible to help secure the machine.

If You Must Add File and Print Sharing Again

If, in the future, you have a need to have File and Print Sharing installed on your computer:

  • Go into the Control Panel (Click the Windows Start button and choose Settings, then Control Panel)
  • Double click Network Connections (sometimes labeled Network and Internet Connections)
  • Highlight any network connection (Typically there is one labeled "Local Area Connection").
  • Choose Properties from either the File menu or from the menu presented when you right-click on the connection
  • Click "Install", choose "Service", click "Add"
  • Choose "File and Print Sharing for Microsoft Networks".
  • Click OK a couple of times.

Make sure to then implement some of the risk mitigation steps listed above.

Firewalls and Network Filtering Options

If you are using Windows 2000, you can use IPSec Port Filtering to prevent inbound connections to the computer. See /prod/groups/oit/@pub/@oit/@web/@security/documents/asset/oit_12549.pdf (PDF) for an example. The filters mentioned in that PDF file can be downloaded from  https://www.umn.edu/oit/security/Restricted/UMNfilters.ipsec.

You may instead choose to use a commercial firewall product such as ZoneAlarm (free for personal use) or Symantec (licensed for U students, faculty and staff). The Symantec Firewall can be downloaded at: http://www.umn.edu/adcs/software/security/.

Installing a commercial firewall product is not necessary if you have turned on the Internet Connection Firewall or Windows Firewall within Windows XP, or if you have implemented IPSec Port Filters or used other filtering strategies on Windows 2000 or Windows XP.

How to configure Automatic Windows Update for patches

Automatic Updates is available on Windows 2000 machines patched to Service Pack 3 (SP3) or higher (as of this writing, SP4 is the current patch level) and Windows XP. When turned on, it is configured to check for critical, usually security-related patches to certain key components of the Windows operating system. When turned on, the default settings require someone with Administrative-level access to be logged in to install the patches. However, it can be configured to download and install them in the background, at a certain time and day of the week.

Automatic Updates may not be the best solution for everyone. However, unless you have a better solution in place, you are strongly encouraged to configure Automatic Updates to automatically download and install critical updates. Periodically (perhaps monthly) check to make sure the process is working by visiting Windows Update to check to see if the computer is up to date with critical updates.

To configure Automatic Updates:

  • Go into the Control Panel (Click the Windows Start button and choose Settings, then Control Panel)
  • Choose "System" (or "Performance and Maintenance", then "System")
  • Click on the tab at the top that says "Automatic Updates"
  • Make sure the checkbox next to "Keep my computer up to date..." is checked
  • If you want Automatic Updates to run automatically, even if the logged in user does not have Administrator-level access (recommended), select "Automatically download the updates and install them on the schedule that I specify".
  • Since all critical updates from Microsoft are currently released on Tuesday (some late in the afternoon), choosing a time on Wednesday morning when the computer is turned on and someone is logged onto it would be best.

How to configure Automatic Updates of Symantec Anti-Virus

It is recommended that you schedule automatic LiveUpdates to download the latest virus definitions from Symantec.

To configure scheduled LiveUpdates:

  • Click on the shield icon in the bottom right corner of your tool bar or navigate through the Start menu (Click the Windows Start button and choose All Programs, Symantec Client Security and then Symantec Antivirus Client)
  • Choose File and then select Schedule Updates.
  • Place a check in the enable scheduled automatic updates box
  • Click the Schedule button.
  • Define the frequency (i.e., weekly) and day and time for LiveUpdate to auto-update. Select a day and time when your computer is normally on and connected to the network).
  • Click OK to finish.

How to convert the file system to NTFS

NTFS has built in security features that are not available in other available file systems for Windows. Computers should be ordered with the NTFS file system, but in case they do not have NTFS, we have included instructions on how to convert to NTFS.

To determine if your computer is using the NTFS file system:

  • Go into the My Computer (available either on your Windows Desktop or within the Start Menu)
  • Right click on the C: drive, and choose "Properties"
  • The second line of text from the top will display "File System:", then likely either FAT32 or NTFS. If it says NTFS, then all is well. If it says FAT32, then you should convert it to NTFS.

FAT32 (and FAT before it) do not allow for file system restrictions. Put simply, anyone (or any program) that can access your files can access all of them. Viruses and other malicious code generally can wreak havoc on FAT and FAT32 file systems, while they can often be made less severe by using the NTFS file system and logging in using a User-level account instead of an Administrator-level account.

To convert to the NTFS file system:

  • Open a command prompt window (one way of doing this is to click the Windows Start button, choose Run then type in  cmd then click OK)
  • At the command prompt, type in  convert c: /FS:NTFS
  • Repeat this as necessary for any other drive letters (such as D:, E:, etc.) that are assigned to the local hard drive(s)

Resources and Links
© 2007 - 2008 Regents of the University of Minnesota. All rights reserved. Contact U of M | Privacy
The University of Minnesota is an equal opportunity educator and employer. Last modified on 3/10/08 2:10 PM