Standard: Requirements for Securing Electronic Devices
Oversight: Chief Information Officer
Purpose: Standard for securing electronic devices in accordance with the University’s Security of Networked Devices Policy; this standard is also incorporated by reference in the University Data Protection Standards.
The following is a list of basic steps needed to secure electronic devices, such as desktop computers, laptop computers, tablets, smart phones, other mobile devices, and network printers. Additional steps may be important to implement depending upon the vendor operating system, the applications that operate on the device, the information stored on the device, and other factors. If your device is owned by UVa or has UVa data stored on it, you should consult your department LSP or system administrator for additional guidance. The website Health Systems Technology Security also provides helpful guidance for those whose devices are managed by HSTS.
- Setting up Smart Phones
- Setting up Desktop, Laptop, and Tablet Computers
- Maintaining Desktop, Laptop, and Tablet Computers
- Setting up Networked Printers
All smart phones must be protected with a password of at least four characters.
Configure your device to lock the screen automatically, after a brief period of about 10-15 minutes of inactivity, with password protection.
Protect device with a strong login password
Learn what constitutes a strong password, create ones you can remember, and never share your password with anyone. Note: If you have reason to believe someone has learned one of your passwords, change it immediately.
Use a password protected screen saver
Configure your computer to lock the screen automatically, after a brief period of about 10-15 minutes of inactivity, with a password-protected screensaver. This enhances security and causes you minimal inconvenience.
Turn off file sharing
To ensure other people cannot access your files and folders, you must disable file sharing. In Windows XP uncheck the box "File and Printer Sharing" in the Properties of your wired and wireless connections. In Windows Vista turn off File Sharing in the Network and Sharing Center. If you purchased a Dell computer from the University, you will notice that file sharing is already disabled. Macintosh computers disable file sharing by default. UNIX/Linux operating systems need special attention in this area.
Turn on firewalls
Firewalls can prevent hackers from making unwanted connections to your machine. The firewalls on recent Windows and Macintosh operating systems are turned on by default. Make sure, however, that you enable the firewall settings for the following operating systems:
Turn off or delete unneeded software features
The more software packages there are on a computer, the more opportunity for hackers. Uninstall applications and turn off features you don't use.
Configure properly for multiple users
If multiple people use a computer, ensure that they each have their own user account.
Use up-to-date antivirus and antispyware software
Install FREE antivirus software (based on your operating system) on your computer, and schedule daily updates that will recognize new virus types as they emerge.
Enable the automatic protection of all incoming files, and schedule weekly scans of your hard drive.
Install antispyware software on your computer, since antivirus protection is not enough. Download the Microsoft antispyware software Windows Defender If you are using Windows Vista or later, it comes pre-installed on your computer but may be turned off. Follow these steps to check.
Don't open files from unknown sources
Carefully judge the credibility and trustworthiness of the source of a file before opening it. Email attachments and downloaded files are common sources for malicious programs. Bear in mind that some viruses and worms can mimic the identity of a familiar email correspondent. If you weren't expecting an attachment, you may want to contact the email sender to verify the attachment before opening.
Keep your operating system up-to-date
Updates should be downloaded and installed immediately—many contain critical fixes for security-related defects. Recent operating systems have automated the update process, though you may be prompted to approve the process. If ITS PatchManagement Service or HSTS Desktop Management Service does not manage your updates, learn how to use your operating system auto-update feature.
Keep your application software updated
Check your software manufacturers' websites regularly for updates to their products.
Delete data securely
Use secure data deletion to destroy files and folders immediately and permanently in a secure manner. Find out more about Secure Deletion Shredder software and how to download it for FREE.
Create a backup of your entire system periodically, and back up critical data files whenever you update them. The ITS Home Directory Service provides adequate backup space for most people, but files consuming large amounts of space—video or music—may require external disk drives to back them up adequately.
Use physical security
Protect your system from theft by physically securing your computer. Purchase a lockup cable for your laptop to increase security in residence halls, libraries, and other places you may take your computer, and a surge protector with a circuit breaker to protect against power line surges. Verify that your system is covered under a homeowner's or renter's insurance policy.
Use physical security
Physically secure the printer, as if it were a computer server.
Enable access controls
Change the administrator password on the https (web) login. On any printer that supports it, install a CA certificate and use it instead of a password for administrative access. If available, use access lists to limit the users who can access the printer.
Limit network ports and protocols
Besides printing directly printing to a printer with an IP address on port 9100, other protocols can be used for specific operating systems. These include:
On Unix systems - ftp and lpd, on Windows networks - DLC/LLC, on Novell networks - SLP Config, IPX/SPX, and on Apple Macintosh networks - mDNS and AppleTalk
These protocols are used to find printers on the network and send print jobs to them. These protocols are rarely used, but are still available on most printers. They are vulnerable to attacks and should be turned off.
Restrict management services
SNMP, telnet and https (web) are protocols used to manage printers. Telnet is rarely used on older printers without web access. If https (web) access is available, telnet should be turned off. SNMP is used for large organizations managing hundreds to thousands of devices, including printers. SNMP should be turned off.
If there is a documented requirement for SNMP, the following guidelines should be followed to prevent security vulnerabilities from being exploited:
Turn off version 1 and 2 of SNMP, and change the default SNMP read and write community strings.
Turn logging on and review logs as appropriate to detect and/or investigate potential security breaches.
Next Scheduled Review: February 2016
Revisions: February 2015
Effective: Original version was released 2001
Page Updated: 2015-02-12