This document is intended to provide a guide for the installation of computers that are part of the University of Minnesota network so that they meet at least a minimally acceptable level of security. Due to the volatile nature of what is considered to make a computer "secure", please consider all of these guidelines as highly recommended unless otherwise noted. See the Securing Private Data, Computers and Other Electronic Devices Policy and associated procedures for information on what is required.
Since computer security is a rapidly changing field with constantly changing vulnerabilities and fixes to those vulnerabilities, making a computer absolutely secure is just not possible. Securing a computer amounts to determining the worth of each computer and the data that passes through it and then deciding how far one has to go to protect that computer and data. Installing every single computer security tool on every single computer is usually not a good investment. It would be serious overkill for the majority of computers that are probably best protected with a few well-chosen security tools and a vigilant maintainer.
These guidelines take this rapid evolution into account and present a philosophy of installing computers rather than a cookbook for how to install computers. There is a large continuum of computer security ranging from computers that don’t contain private data and need minimal security to highly secure computers that need extraordinary measures.While, neither of these extremes is generally true within the University's environment, it is really up to the individual computer's owner to choose the appropriate level of security for each computer, and then to implement appropriate security measures to maintain that level of security.
Other factors such as state and federal laws or industry standards may help determine the level of security needed. Some examples are the Minnesota Data Practices Act, FERPA, GLB, HIPAA and Payment Card Industry (credit card) standards that address certain “not public” data such as social security numbers, student records, patient data and credit card numbers.
One good issue to keep in mind while reading this document is that to simply install a good mix of computer security tools onto a computer is never enough. All security tools require at least occasional care and maintenance. This can be anything ranging from the installation of new patches to the operating system to modifying the availability of services due to the changing role of a computer or an organization. With the quickly changing nature of things in the computer world, it is important to keep up with the time and to know before hand that any computer security model must adapt with these changes.
For any operating system, it is important to follow the general guidelines below as well as what is required in the University Policy- Securing Private Data, Computers and Other Electronic Devices. The actual details used to implement these guidelines may vary slightly (see the checklist in the next section), but the ideas are the same regardless of the operating system. If followed, these will go a long way toward securing a computer.
Here are some general recommendations for all operating systems. Do these roughly in the order listed.
( ) Review the purpose or role of the computer
- Conceptualize the role of each computer within an organization and which services each computer will offer. The services that it provides should entirely be dictated by its role within an organization and by the type of information (i.e., public vs. “not public”) that flows through it. See Securing Private Data, Computers and Others Electronic Devices Policy for additional steps for protecting private and "not public" information.
- Create departmental policies to address the acceptable use and security of all computers if more restrictive that the University’s Acceptable Use or Securing Private Data, Computers and Other Electronic Devices Policy.
( ) Set up authentication & account management before connecting to the network
- All accounts should have strong passwords.
- Administrative or root accounts should have even stronger passwords or passphrases.
- Only use the administrator or root account when absolutely necessary.
- Assign a unique administrative account and password to each individual to better distinguish activities between multiple administrators.
- Use different passwords for administrator or root and general user accounts.
- Force new users to change their passwords when they first login.
- Regularly review the access list or log for users, especially of root and groups. Look for unexpected rights or changes.
- Limit the use of the same password across dissimilar systems (use of the same password on a less secure system may endanger a more secure system).
- Disable or delete old or unused accounts that belong to people who no longer need access.
- Be sure to have a plan and process for securing administrator and root passwords that allows appropriate access to the server in case of illness, turnover, or unforeseen circumstances.
- See the Authentication section in the Securing Private Data, Computers and Other Electronic Devices Policy
- Tips on passwords and passphrases
- For Windows operating systems, avoid adding service accounts to the default Administrators Group and instead assign rights specific to the tasks the accounts requires.
( ) Install and patch the operating system before connecting to the network
- Run software that is current. The operating system and other software should be vendor supported for security patches.
- When installing software, make sure to only install software that is needed, making sure to install the latest versions of all software including all recommended and security patches that are available.
- Download patches to another computer and put on CD.
- After installation, all computers should be routinely maintained and updated. This includes the installation of operating system patches and new versions of installed software. See the Security Patches section in the Securing Private Data, Computers and Other Electronic Devices Policy.
- For UNIX-like operating systems, when installing third party software, consider using the ports or package trees available with each operating system. This ensures that the software is compiled with all available patches on the computer that it will be installed upon.
( ) Run minimum number of services
- Each computer should only provide services needed for its role in an organization.
- Make sure to configure all installed software, disable all unused features and be sure to limit the availability of any features that are enabled.
- Disable Telnet and FTP. Use SSH instead.
- Unless using network management tools, turn off SNMP. If SNMP is enabled, change the default community name and set permissions. Be sure to delete the public community string, if software allows you to do this or at least change the default settings.
- Use of name services caching is okay, but do not run a name server.
- For UNIX-like operating systems, turn off unnecessary inted services, including trivial services: echo, chargen, discard, daytime, time, qotd and finger.
( ) Install filters or firewall
- Install and configure a packet filtering utility such as TCP wrappers or a software or hardware firewall to protect individual services.
- The rules should reflect the acceptable use and security policies that have been defined for the computer.
- Operating system filters that deny or permit certain traffic should be used if available.
- Periodically review the filters for inappropriate or unneeded access.
- Restrict access to services to only U of M addresses, where prudent. Limit access to databases to specific IP addresses or U of M addresses.
- For UNIX-like operating systems, install and configure a packet filtering utility such as TCP wrappers, Ipchains, Iptables or a software or hardware firewall to limit access to the computer. The rules should reflect the acceptable use and security policies that have been defined for the computer.
- For Windows, the Microsoft IP Filtering is an option similar to TCP wrappers for UNIX-like operating systems.
( ) Set up and review logs
- Configure all services so that they log all connections and authentication information. Forward all of these logs to a highly secure computer if possible.
- Someone should be assigned the responsibility to review and as appropriate follow up on possible security violations identified in the system logs. For important servers this might be as often as daily.
( ) Install security-related software
- Install security related software on each computer, as appropriate to the level of security needed.
- Install anti-virus or other virus filtering software with daily updating for the latest virus definitions. See the Anti-Virus Protection section of the Securing Private Data, Computers and Other Electronic Devices Policy.
- SSH or other encrypted and secure method of access should be installed if remote access or remote administration services are needed. SSH improves the security of user accounts by encrypting all login sessions and allowing the forwarding of X11 and other arbitrary network traffic. Many SSH distributions are free for educational use. Also take additional steps to help reduce the risk of SSH password guessing compromises by using strong passwords, not allowing root to log in through SSH, and using host based or network firewalls to limit access to specific IP addresses. Also, it is particularly important to apply these recommendations to computers running Apple OS/X where administrator accounts are root equivalent.
- Install VPN encrypted tunnel if unable to install SSH or when clear text is a security risk. OIT provides free VPN client software that provides an encrypted tunnel to the University from the Internet (e.g., connection at home or on the road).
( ) Maintain physical security
- Locate the server in a secure location with documentation of who has access.
- Use Uninterruptible Power Supply (UPS) for servers and other essential peripheral equipment (e.g., monitors, KVM switches, etc.).
- Locate servers in a climate-controlled environment (e.g., dedicated air conditioning with in-room temperature controls).
- Consider basic fire suppression services/options (e.g., extinguishers, sprinklers, etc.).
- Utilize “keyboard locking” software or password protected screen savers to prevent keyboard activity.
- See the Physical Security section in the Securing Private Data, Computers and Other Electronic Devices Policy.
( ) Maintain backups and operational continuity
- Run back-ups regularly and periodically store off-site.
- Test the restore capability periodically.
- Use a secure deletion program to erase data from hard disks and media after done using and prior to transfer or disposal of hardware. See the Secure Data Deletion section in the Securing Private Data, Computers and Other Electronic Devices Policy and the University Security Framework Media Sanitization standard.
- See Developing a Plan for Operational Continuity
( ) Identify the computer for security event notification
- Maintain the information about the computer in Service Gateway.
- Identify critical servers to University Information Security. See the Critical Server Identification section in the Securing Private Data, Computers and Other Electronic Devices Policy.
( ) Run a network-based vulnerability scan
- Run a network-based vulnerability scan (i.e., Qualys) to look for common vulnerabilities. These scans are highly recommended for important servers. Send requests for access to the Qualys scanner to email@example.com
- Review and correct vulnerabilities found or implement a risk-mitigation strategy, concentrating first on the items marked as confirmed level 4 or 5.
Additional Steps to Enhance Security
Installation Configuration Process
This section provides more general information on the configuration process.
Acceptable Use - Security Policies
The security of any computer or organization really begins with a review of the Acceptable Use Policy (AUP) for the computers in the organization. If there is no need for a more restrictive departmental policy, the default policy is the general U of M policy. The departmental policy is intended to define the right and responsibilities of both the users and system maintainers as well as define who these people are. This is really the first step in the security of any computer as it sets out the rules that everyone is to follow. And when the rules are broken, the AUP also defines what happens to those who've broken them.
For any department that is developing an AUP within the University, there is really only one rule that must be followed: all departmental AUPs must start with the University’s AUP and add further restrictions. That is, the University’s AUP supersedes all other AUPs within the University. So, for example, a department is not allowed to state in their AUP that the sharing of accounts is allowed since the University’s AUP forbids this.
See the University's Acceptable Use Policy.
For a very good starting point in the creation of an AUP, refer to the Site Security Policy Development paper written by AUCert:
Know the worth of the information and services on a computer
After the policies, the next thing for anyone implementing a computer security policy is to address the issue of the importance of the computers and the information that they contain. While it might be tempting to say "These computers are not important at all, so why bother securing them?" consider that even the most basic of computers is still powerful enough to be used by unscrupulous individuals to cause havoc on the local or even vastly remote networks. All computers are important no matter how insignificant they may seem to be. But of course some are simply those that are more important than others.
To determine the value of a computer, simply look at the type of information that will be flowing through that computer. On the minimal end of the spectrum, consider a computer that is shared by a small group of people in a graduate student office. As long as these students are not working with sensitive or “not public” data, then this is a situation in which minimal security coverage can be appropriate. The only things of real worth on the computer are the operating system itself and all accompanying programs, the system logs, the accounts of the people who use that computer and the general availability of the computer for the people who use it. However, data's value is not always readily apparent.
Please be aware that it is the last item listed above, user accounts, which are one of the most valuable assets on any computer. It is user accounts that are frequently targeted by hostile people since they provide a measure of anonymity on the Internet from which attacks can be launched on even more computers. That is, by stealing someone else's identity, computer criminals are able to cover some of their tracks and make it appear that an innocent party is actually the one launching attacks.
On the other extreme, is the database server that stores student or patient records and other important information such as social security numbers, addresses, medical records, etc. This is highly sensitive or “not public” data and, under pain of legal action, it must remain so. This is a computer that calls for great care and the strongest computer security tools.
It is these sorts of issues that directly determine the value of a computer and thus how far one must go to protect it and the information that it contains. A computer that contains highly sensitive or “not public” information must be highly protected and should be addressed by an approved security plan.
The operating system
Another critical step before connecting to the University of Minnesota network in securing any computer is for those that install and maintain that computer to be intimately familiar with how that computer's operating system and software function. This doesn't mean that one should know every nuance and feature of every piece of software. It means that one should have a healthy knowledge of the primary features and of its basic behavior in common situations.
Without this sort of knowledge, it can be very difficult to determine even if a computer is functioning correctly, let alone if it's being exploited by unauthorized users. If in doubt, ask for help or ask for a scan to check out your configuration.
Choosing which services to run
Now that the most basic issues of securing a computer have been addressed, it is time to turn to the more practical things that can be done. The most basic of these is to choose what services each computer will offer. Or, seen from another perspective, the role of each computer in an organization needs to be defined.
The only common exceptions to this one service on client computers rule are where a client computer needs to be specialized for the people who commonly use it. And the most common service that is needed is remote access to the local disk. A few other, less common services include software licensing, calendar access, font services and remote display access. These sorts of exceptions do occur for budgetary or other reasons. But the idea here is to start with the absolute minimum number of services and build up instead of starting with every imaginable service and building down.
For computers that fit the role of "server," the situation is similar, but a little more complicated. Having just the minimal, remote access service on a server makes very little sense in most cases. Typically, a computer fits the role of server because it needs to provide one or more services to the entire organization. Common examples include: email servers, file servers, authentication server, compute servers, web servers, and many more. Frequently, several of these services are combined onto a single computer.
The idea to follow when configuring server computers is the same as that for clients. Start with the minimum number of services possible and start adding services as needed. For a server, this can sometimes lead to adding quite a few services, but if done with care, this is usually not a big issue. For example, it's not uncommon to find server computers that are simultaneously acting as file server, email server, font server, authentication server, remote access server, web server and ftp server.
However, for most installations, it is best to not load down any single computer in this way. The impact upon the organization is tremendous if that computer should be out of service for any reason. Spreading the services out among a few computers limits the impact when one of them should be out of service. Some services, such as web server, are difficult to configure securely and others such as remote access can introduce additional risk, so mixing many services usually leads to a less secure configuration as well. Note that the degree of “secureness” is influenced by the number of services in many cases.
Choosing which software to run
One of the simplest ways to select which services are installed on a computer happens when the computer is first installed. By carefully choosing which software bundles get installed, the person installing the computer can greatly simplify the task of choosing which services to run after the install is complete. Some other benefits of only installing needed software packages are that the computer will then have more free disk space and be less complex to maintain.
From a computer security stand point, this practice is also beneficial. Most operating system vendors have created their installation tools so that the end result is a highly usable system. While this may sound like a good thing, it is usually accomplished by loosening the permissions on files and installing configuration files so as to make services as widely available as possible. Thus, the newly installed system might be highly usable not only for those intended to use its services, but also to those not intended to use them.
And finally, a simpler operating system installation means that the job of final configuration of the computer is also simpler. There will be fewer configuration files to customize and fewer files that need to have their permissions tightened, thus making it much easier to identify when a computer is not behaving as it should be. For all of the above reasons, always use a “custom” install option and not the default.
While the simplest method of protecting a service on a computer is to either not install the software or to not run the service at all, this is not always possible since some services need to be available on some computers. The best line of defense for these running services is to use access control package based like Weitse Venema's TCP Wrappers, available at:
They are now shipped and installed by default on most of the free operating systems: NetBSD, FreeBSD, OpenBSD and most versions of Linux.
TCP wrappers provide an amazingly good first line of defense for these computers. They allow the computer's maintainer to define a set of allow/deny rules for each installed service. The decision to allow or deny is then made based on the location of the clients who attempt to connect to the running services. When allowed, the clients see nothing unusual, they simply access the services as if the TCP wrappers weren't there at all. But when denied, the unauthorized client never gets a chance to talk to the service at all. Its connection to the computer running the service is immediately dropped before the service is even made aware of the request.
Besides the ability to allow and deny service requests, the TCP wrappers also provide verbose logging of all connection attempts along with the client's host name, the time of day and whether the connection was allowed or denied. Although quite verbose at times, these logs are immensely useful for a computer's maintainer in debugging network problems or when digging back through logs in an attempt to find out who might be misusing a computer.
For Windows platforms, the Microsoft IP Filtering is an option similar to TCP wrappers for UNIX-like operating systems. Microsoft IP Filtering does not provide logging.
Another important aspect to protecting the services on individual computers is to very carefully examine and tune the configuration files for each piece of software. It is almost always a good idea to turn off all features that are not needed and limit access to the enabled features. It's also very important to not overlook the banner messages that are usually defined within the configuration files. An interesting sidelight is the tendency of people to use the word "welcome" in the messages that appear when a service is first accessed. This is a very bad thing to do. The "welcome" message can actually be used during criminal proceeding by the defense to show that the defendant was actually "welcome" to invade the computers!
A good document that talks about banner messages is available from CIAC:
Perhaps the single most important way to protect any service is to carefully maintain and store the logs generated by that service. These logs will not only tell when the service is broken, but in ideal situations will also tell where connections originated, what features of the service were accessed and when. In terms of computer security, there is nothing more valuable than these logs. With them almost any unauthorized access to any computer can be tracked down. Even if the unauthorized users turn logging off, the first connection to the computer will be logged giving valuable information about where any attacks originated and possibly the user name of the person who launched the attack.
To protect these logs, it is always a very good idea to make sure that they are forwarded through the network to another highly secure computer. This configuration keeps the logs secure from modification by unauthorized users. It also keeps them secure from people who just want to sift through them for information about the organization or the people in the organization. Common examples of this type of information include connection patterns, computer names and even people's passwords when mistyped at a keyboard.
To further emphasize the importance of the logs generated by the services on a computer, consider the worst case scenario. A highly secure computer that contains payroll information, including social security numbers is penetrated by someone across the country via the Internet. They download all of the payroll records and proceed to post it to publicly available sites including public web sites, UseNet and large email lists. And finally, they erase the computer's hard drive. If the logs for this computer are verbose and forwarded on to a secure computer, then it is possible to go back and look at the logs to determine where the attack originated, when and what was done to gain access to the payroll computer. This is usually enough information to pass to law enforcement to at least give some leads in an investigation.
Other information that might also appear in the logs include: the actual username that the attack was using, any local usernames that the attack exploited, which services were exploited and how they were exploited. If the logs were not forwarded on to a secure computer, when the computer's disk was erased, any existing logs would probably have been erased. And backups of that computer don't always give a complete picture of what happened to the computer.
Programs for Further Protection
Stepping beyond the limits of the software that is usually installed on a computer by the base operating system, computer security steps into the wider world of software that is available on the Internet. This ranges from the most basic drop-in replacement for software commonly shipped with operating systems to more esoteric software intended to identify changes to the operating system itself. While usually not difficult to install or configure, this software can sometime be difficult due to lack of active maintenance, or lack of support for some operating systems. But, the quality is usually good enough for at least minimal usage.
Perhaps the single most important piece of software that one can install onto a computer is SSH. A drop in replacement for the client and server side of the UNIX rlogin and rsh services, SSH makes a dramatic leap forward in securing an organization's computers by using strong encryption to encrypt all traffic and also the entire login session itself. This defeats the common practice of using network "sniffers" in an attempt to steal other people's passwords. While a mostly UNIX-oriented tool, SSH clients are available for many different platforms including the MacOS and Windows.
SSH is ideally suited for use in the system administration of computers. It protects the highly sensitive administrative passwords that frequently give high levels of control to individual computers. SSH also can be used to replace other relatively insecure programs that are used to copy files between computers. These features combined with SSH's ability to tunnel other network connections between computers make SSH an invaluable tool for securely accessing remote computers.
Take additional steps to help reduce the risk of SSH password guessing compromises:
Use strong passwords
Do not allow root to log in through SSH
Limit access to specific IP addresses or U of M addresses.
Do not allow Adminstrators on Macs to log in with password through SSH (as an administrator password can give your root on a Mac).
For more information on SSH and other related software, look at the SSH User's Group or Openssh
One of the more common challenges in large organizations is examining the logs created by its computers. They can frequently be extremely verbose, creating many tens of megabytes of logs each day. This makes the job of finding misconfigured or misused computers very difficult. Much like looking for the proverbial needle in the haystack. Luckily, for UNIX-like operating systems there are a few software packages available that make examining the logs much simpler by filtering them based on interesting events.
Two software packages based on similar ideas are Swatch and Logsurfer.
Written in PERL, swatch takes the quick and dirty approach to log filtering by allowing the user to create rules based on PERL regular expressions. Once a line out of the logs matches a rule's regular expression, swatch then performs the action present in the corresponding rule. Usually, this action tells swatch to display or ignore the corresponding log, but far more complex actions such as sending email or executing arbitrary programs are possible.
Logsurfer, although the program is similar to swatch in concept, it is a more powerful log filtering program. It is driven by a set of rules built out of regular expression and action, but unlike swatch, it allows other actions that create filtering states. That is, it allows the user to create rules that only match when other rules have already been matched. Thus, with logsurfer, it's possible to look for events that consist of a sequence of events in the logs.
Detecting File Changes
Stepping away from the issue of computer logs, another important issue in computer security is knowing when changes have occurred to the files stored on a computer's hard drive. This is especially important due to the proliferation of "root kits", or bundles of software that replace the critical parts of an operating system that deal with user authentication. This problem can be addressed with a package called Tripwire.
The idea behind Tripwire is that one can store information about files stored on a hard drive such as it's size, modification date and a cryptographic hash of it's contents. Then at a later date, these stored values can be compared to what's found on the hard drive. If there's a difference, then the file has changed. Although this sounds like a simple idea, it's surprisingly difficult to implement correctly. The biggest problem revolves around storing the file information in a secure way.
Originally, Tripwire was only runnable on UNIX-like operating systems, but it has now been ported as a commercial product to Windows and is available from Tripwire Security Systems.
So far, all of the software packages presented are designed to point out existing problems with a computer, it's operating system or it's installed services. In essence all of the software seen so far is passive in nature. That is, it simply observes a computer and then notifies the computer's maintainer when something is broken or changed. Although this is a very important thing for any computer's maintainer to know, it is not always enough. Sometimes it would be nice to know where weak, but not yet exploited points are on a computer.
Perhaps the single greatest weak point on any computer is the passwords that users pick to protect their accounts. They frequently pick passwords that are incredibly simple to guess, such as their spouse's first name, their birthday or simply a word in the dictionary. And when asked to choose a new password, they will frequently not do so due to the fact that they'll then have to re-memorize their password.
It's this laziness in protecting their accounts that makes users' passwords a prime target of attack for malicious users. Malicious users will obtain a copy of the password file and then they'll attempt to guess the passwords on users accounts. Since this task is easily performed on any computer and since the passwords on users accounts rarely change, the malicious user can take as long as he/she wants to guess passwords in the attempt to guess as many as possible.
To stop this situation from being a problem, it has long been common practice for the maintainers of a computer to attempt to guess the passwords on their user's accounts. The difference is that when the computer's maintainer guesses a password, he/she will notify the user and ask them to change their password. When a malicious user guesses another user's password, he/she will frequently make unauthorized use of that account.
One of the first password guessing programs written for UNIX-like operating systems is the package known simply as Crack. It is built on the simple idea that one can take multiple dictionaries, permute or modify the words found there in lots of different ways and then use the modified words that result to guess user's passwords. The real power in Crack is in the permutation and modification rules. They are very complex and long, performing over 100 different modification to the words in the supplied dictionaries. Also, in more recent versions of Crack, there is support for running it on many computers simultaneous to use the computing power of more than one computer at a time.
A more recent, and powerful password guessing program for UNIX-like operating systems is John the Ripper, or just John for short. Designed along the same as Crack, but with highly tuned assembler code for extremely fast password encryption, John is about the fastest password guessing program available.
For Windows, the problem of guessing passwords is an even larger problem. Due to the abysmal encryption algorithm used in Windows systems before Windows 2000, it is far easier to guess a password for older Windows systems than for UNIX-like operating systems. In fact, the encryption algorithm used in Windows NT is so bad, that it’s possible to try all possible passwords on a reasonably powered Pentium II computer. Obviously, this is not a good thing. Microsoft improved the encryption scheme in the newer Windows systems (e.g., Windows 2000 and XP) with the introduction of NTLM2. This algorithm should be used whenever possible. In general it is a good idea to use strong administrative passwords or passphrases of 14 characters.
The most commonly used Windows password guessing program is L0phtCrack.
Where to learn more
Want to learn more? Here's a list of some of the better computer security related resources available on the Internet today:
CERT (Computer Emergency Response Team)
Based in Carnegie Mellon, the CERT provides basic computer security guidelines, and issues reports of known vulnerabilities in operating systems:
SANS is an organization that provides educational resources and support for system administrators and other computer professionals. Computer security is one of their main focuses.
NIST (National Institute of Standards)
NIST provides security industry standards.
CIS (Center for Internet Security)
CIS provides security industry standards and benchmarks for securing an operating system.
NSA (National Security Agency)
NSA provides security industry standards.
Computer security information clearing house.