Securing Computers
    Main Page
    "How Do I..." Information
 

Last Updated: 15 Sep 2015

Securing computers is necessary if you are connecting to the network by any means, and wise even if you aren't. Your supplied office computer is already secured to some degree; this information is intended for any additional computers you set up for any purpose on campus.

Please note that physical security is paramount to truly securing a computer -- once someone has physical access to the computer, anything can happen... including compromising the system by resetting passwords and removing the hard disk and attempting to read its contents.

However, assuming that your office remains locked for other reasons, you have some level of physical access protection. The main things you want to protect against then, is an attack that originates outside your office.

  1. Virus prevention

    Without a network connection, about the only attack that can happen is via a file you access from a CD/DVD or a USB flash/thumb drive. If you attempt to run that file on your computer, it might have a virus attached to it. This may be especially problematic for faculty who need to run student programs to verify that they work -- the student may have inadvertently or maliciously attached a virus.

    Once on the network, downloading files, visiting certain web sites, opening email attachments, and other network-based activity can cause a virus to infect your computer.

    About the only thing we can do is to install an anti-virus or end-point protection application. An anti-virus application can only try to protect your computer from known virii via their signature; although some software can use heuristics to capture unknown ones. End-point protection software may offer additional protection mechanisms.

    The UW has a site license for Sophos for Windows, Macintosh or Linux. Sophos can be installed on campus computers, or on personal computers for as long as you are associated with the UW.

    Anti-virus tools periodically and frequently update their signatures and even the virus scanning engine. They require a network connection to do that.

  2. General Protection Mechanisms

    Hackers, organized crime, and nation-states imay attempt to break into your computer to:

    • vandalize your information
    • steal financial or other information
    • watch what you are doing
    • subvert your computer into attacking other computers
    • modify your information for their own purposes

    To borrow from a house analogy, if you put locks on your doors you may feel safer from entry by the doors, but you may have neglected to lock the windows. And how much protection is a window, anyway, to a determined person? In reality, due to cost and cleverness, all we can do is hamper a truly-determined person or group from breaking into something.

    Consequently, we:

    • buy good locks (make hard-to-break passwords)
    • change the locks (our passwords) often
    • lock up infrequently used access points (firewall: block network ports not in use)
    • don't let in strangers (block computers that are unfamiliar, if possible)
    • use a wall safe (encrypt files)
    • periodically check unused areas (scan for compromised files)

    But that's about as far as the house analogy goes. We have to get out of the house sometimes, and take our cars on that network we call the highway system. Anyone can watch and track our departure and arrival, as well as see who is in the car (in most cases).

    This is very similar to watching or snooping network traffic. If one has the means to view the network (the "road"), then one can see the packets of information (the "cars") and see what their payload is (the "occupants").

    With a wired Ethernet network, one can fairly easily peek at network packets if a computer is attached to the network, as Ethernet broadcasts its information. Ethernet switches (vs. hubs) may help somewhat with this.

    Wireless networks are much easier to snoop, especially because they are not physically constrained by where a wire is, and there is ample leakage of the signals. Even the wireless encryption protocol (WEP) cannot help, as it is inherently flawed; use of WPA 2 may help.

    This is one reason why we as a university transitioned to secure transport protocols for file transfers and email access... with the advent of wireless transmission, it would be much easier to see packets with login and password information, thereby compromising the security of a login account. Because we need the network, we sometimes need to secure data that travels over the open highway, so to speak, so we encrypt it to make it more difficult to read... just like people tint their car windows or use cargo vans to conceal their contents.

    For the web, TLS (Transport Layer Security) is often used to protect financial information between client and server. For file transfers, the SSH (Secure SHell) protocol is often used. Modern authentication protocols are also secure; older ones such as ftp and telnet are not -- passwords are sent in plain text.

    What this means for servers or services that you set up are:

    • change your passwords often to avoid the possibility that the password file was stolen and someone is trying to crack it (which takes time)
    • use a firewall or other port filtering mechanism to block access to TCP/UDP ports that are not in use.

      They are not panaceas -- see NAT and Firewall Limitations and UW Network Security Credo for details.

    • keep operating system and application software up to date

      Often a security hole in an operating system is known and quickly fixed before it is widely exploited. By keeping up with updates, you can avoid many problems that plague computers.

  3. Securing files

    Sometimes you don't want anyone else to read your files, especially if they contain sensitive information such as passwords, student grades, and personnel issues. If you share your computer with other people or put it on the network and you don't have file access permissions set up properly, your files may be readable by anyone.

    One reason for login accounts is to authenticate people, to attempt to verify they are who they say they are. One can then use the presumed authentication to allow access to some resources, such as files, which is a process called "authorization". A good operating system, such as Windows Mac OS/X or Linux, can protect files from casual viewing -- although all files are visible from privileged accounts ("Administrator" or "root"), since some people get into trouble over-protecting their files.

    Ideally, you would set up only the accounts that you need on a computer, use strong passwords which are changed often, block guest login accounts, and ensure that file permissions are set by default to only the owner of the files... you can expand them later.

    As an extra measure of file readbility defense, you can encrypt a file. Doing so without a backdoor (entrusted to a system administrator) is dangerous, since you could lose the contents of the file if you forget or lose the password. Of course, having a backdoor is also dangerous, but overall it may prevent most users from being able to read the file.

  4. Secure programming

    Programming for security is a fairly new area for most programmers. The whole Java security model is based on trying to keep everything well-contained to prevent inadvertent access to resources. However, embedding passwords in JDBC connection strings is one area where the model falls short of its designer's goals.

    Secure programming for web applications is another area of concern. One must sanitize any input coming into the server, as someone can try to inject some SQL code into a simple database-backed web application.

  5. Intrusion detection

    A good security person is ever vigilant, and takes proactive steps toward determining if the system is still sound.

    Events from the operating system and applications are often written to a logging facility. They are a good source of activity and a first place to look for abnormal activity.

    Intrusion detection systems ("IDS") exist, both for the network and for individual computers or "hosts". Normally, a network IDS is placed at the connection to the internet, so it can watch all packets as they enter or leave an organization. They work similarly to anti-virus programs, looking for signatures of malware in the packets. However, most non-network administrators do not run a network IDS, as maintaining one is difficult and there can be a lot of false positives.

    A host IDS may be more useful. It also monitors network packets, but as they enter or leave a host computer. For intrusion prevention, a host IDS may also keep a copy of all files somewhere, and after an intrusion is detected, compare the files it has to the saved copies, and alert people if there is a change -- or automatically replace the changed files. Host IDSes have to know when software, including the OS, is being updated, so it doesn't undo updates, as well as to update its saved copies with the valid updated files.

Change Log

15 Sep 2015 Updated links and some information, especially for "Intrusion Detection".
23 Oct 2002 Original document


Hours  |  Support Information  |  News  | 
Policies  |  Emergencies