Best Practices

... for Workstation Protection

Today's desktop workstations must be configured and used in a secure manner, for two reasons. First, it is likely that some information housed on that computer is of a sensitive, confidential, or proprietary nature. Therefore, only authorized individuals should have access to it. Liability may be incurred if information is not protected using generally accepted protection methods ("due diligence"), and that information is improperly disclosed. Second, the integrity of the system (operating system, application programs, and data files) is critical. Applications must operate as expected, when expected, and the data they use must be complete and correct. Otherwise, we lose productivity, make bad decisions, and report false information. The following guidelines will maximize the security of your workstation.

  1. Your workstation should have a screen saver activated that is password protected. The interval for activation should be between 3-5 minutes. This will provide adequate insurance against the walk-by use of workstations that are "up" (operating). Anyone with system administrator authority (i.e., a high security clearance) is strongly urged to comply with the lower end of this interval range. Most general users are comfortable with a 5-minute screen saver interval.

  2. Do not allow file sharing ("shares") on machines without securing them to authorized users only. Make certain object, device, and file access controls are appropriate.

  3. Install virus protection software on your workstation, and install updates on a regular basis. Updates for new viruses are generally made available every week. (Your software can be configured to be automatically updated.) Configure your virus software properly, so that it actively scans all incoming objects for virus infections.

  4. Do not allow anonymous access of any kind (e.g., FTP, dial-up) to your workstation. Public read-only data should be shared from a server location. FTP and dial-up access to a workstation should be protected with user authentication. If you allow others to access your workstation, employ system and network logging mechanisms to track their use.

  5. Ensure that you have adequate backups of files. Copy them to a secure server location or make floppy disk or zip drive backups, and store them in a secure location. In general, it is not necessary to backup your operating system files more than once after installation/modification. Many work areas have a single CD image for all workstations that can be used to restore a damaged system. (If an image is available you need not backup your system files.) However, be aware that a restore of this nature will erase personal data files and custom configuration files on your workstation. Pay particular attention to making backups of your data files and custom configuration files on a regular basis.

  6. Keep your operating system and application software up to date. Updates are available from vendors on a regular basis.

  7. Always power off workstations when not in use (e.g., overnight).

  8. Routinely change your application passwords. The industry standard interval for password changes is 60-90 days. Depending on your environment and security clearance, it may make sense to use a 30-day password interval. (System Administrators, in all cases, should use one-time passwords; or if static passwords are used, a 30-day maximum password interval.)

  9. If you believe office keys have been lost, misplaced, or stolen, recommend to your supervisor, department head, or advisor that doors be re-keyed by Facilities Services.

  10. Delete all un-sanctioned programs and directories from your workstation. They can be cleverly named keystroke-capturing programs (a program that records everything typed into the machine's keyboard), network sniffer programs (a program that captures information transmitted on a network), or viruses (programs that damage files). Educate yourself about what programs and files are on your workstation, so that you will recognize anomalies.

  11. Never execute a program (".exe" file) if you do not know what it is/does, or if you do not trust the source. This is particularly the case for files that are sent to you via e-mail, or are downloaded from a web site that you do not trust.

  12. Secure workstations by physically locking offices that are publicly accessible when they are not occupied. Similarly, some workstations can be key-locked to protect the power-on switch and drives. These keys should be used for after-hours workstation protection.

  13. Employ a BIOS (hardware level) boot password on your machine. This can be set through the hardware setup utilities. Once defined, the machine will then require that password (which is not transmitted on any network) before the machine will boot. Newer Intel-based machines will support bios boot passwords. This control is especially important if your workstation sits in a common area.

  14. Turn off all network services that you do not need or intend to use.

  15. Investigate your workstation/drives on a regular basis, to look for suspicious files. Use a naming convention for your files, and a directory structure naming convention. Be sure to look for hidden files and directories.

  16. Consider employing a file encryption program if the information stored on your workstation is highly confidential. Similarly, consider a mail program that supports encryption (S/MIME or PGP) if you will be sending highly confidential information in messages.

Copyright © 2005 The University of Iowa. All rights reserved.