Required Standards of Care for Sensitive Information includes all recommended and required standards for Unrestricted Information plus:
Access to Sensitive Information:Viewing and modification restricted to authorized individuals with a business need to know. Copying or Printing of Sensitive Information is limited to legitimate need, with copies limited to individuals with a business need to know.
Access to Sensitive Information is assigned by role pursuant to standards approved by the OSU Data Trustee
Required: Passcode required, lock screen enabled, notifications on locked screen disabled, device encryption enabled, data on removable devices (SIM, SD card, etc.) encrypted.
Recommended: factory OS intact (jailbreaking or rooting not allowed), Bluetooth file sharing disabled.
To set a lock screen and passcode perform the following steps. Open the settings app and then enter the security menu. In there select Screen lock. Choose anything other than “None” or “Swipe” this will both enable the lock screen and provide a sufficient passcode.
Disable notifications on locked screen:
To disable notification on the lock screen enter the settings app and then tap on Sound & notification. In here scroll down until you find the Notification section. Tap on “When device is locked and switch to “Don’t show notifications at all”
Note: This only applies to devices running Android 5.0 (Lollipop) and above. Some older devices also support encryption but it will be device specific.
To encrypt your device open the settings app and tap on security. There will be an “Encrypt phone” option. Tap on this and then read through the information. Tapping the encrypt phone button will begin the encryption process.
To encrypt your sim card enter the settings app and then tap on Security. You will find a section called “SIM card lock” Tap this. In this menu tap Lock sim card. You will then be able to change the pin to your choosing.
Setting a lock screen and passcode:
To set or change your passcode go into the Settings app and select “Touchscreen & Passcode”. Within that hit “Turn Passcode On” to create one. Of you already had one you’ll be prompted to enter it first. When you choose to turn it on or change it you can choose which type of passcode you’d like. You can do the simple 4-digit numeric code, or opt for a more secure option of setting your own passcode of the length you choose. After setting your new password we recommend testing it out a few times to make sure you remember it.
Notifications on Lock Screen disabled:
To disable notifications on the Lock Screen simply toggle the “Notifications View” switch to deactivate it and any others you’d like turned off.
Encrypting the SIM:
To encrypt the SIM go into the settings app, select Phone, and then SIM PIN. IMPORTANT: The PIN number is network provided and you should not activate the switch without already knowing the PIN!
Required: Passcode required,
Setting or changing a password
Windows Phone 8
From the home screen, tap Settings, and then select lock screen.
Scroll down to "Password". To set a password for the first time, slide the "Password" bar to On.
To change your password, tap change password. Enter your current password in the "Current password" field.
Enter your new password in the "New password" field, and then reenter it in the "Confirm password" field. Tap done.
To set a time limit for the screen timeout, on the "lock" screen, tap the "Screen times out after" field, and then select the time limit you want.
lock screen enabled,
notifications on locked screen disabled,
To see notifications when your phone is locked
> Notifications + actions.
Select the Show notifications in action center when my phone is lockedcheck box
device encryption enabled:
To enable the encryption on a Windows Phone 8 or Windows Phone 8.1 device you first have to enable it within a "mobile device mailbox policy" on the Exchange server.
Perform the following steps on your Exchange Server:
Connect to the Exchange admin console
On the left hand side Go to "mobile"
In the windows on the right click on "mobile device mailbox policies"
Edit the "Default" policy or create a new one
When pressing the "Edit" button a pop up windows appears
Click on "security"
Enable the checkbox for "Require encryption on device"
Save the changes
Perform the following steps on your SMC Server:
Connect to the Sophos Mobile Control admin web console
Log in to your SMC customer with an administrative user
Go to "Profiles | Windows Phone 8"
Edit a profile containing your Exchange configuration
Press the "Add configuration" button
Select "Restrictions" and click "Next"
Select the checkbox for "Forbid unencrypted device"
Now you have configured everything on your Exchange and Sophos Mobile Control server to make sure a Windows Phone 8 device is using the built-in encryption functionality.
Please be aware that there won't be any progress shown indicating the encryption on the mobile device.
How to verify if encryption is turned on on the mobile device
On the Windows Phone 8 device, open "Settings"
Open "storage sense"
An overview will be shown regarding your storage usage
Below the "phone" section the amount of used space is shown e.g. like this "2.80 GB used, encrypted"
The "encrypted" indicates that encryption is active. If "encryption" is missing the encryption functionality is not used
data on removable devices (SIM, SD card, etc.) encrypted.
Recommended: factory OS intact (jailbreaking or rooting not allowed), Bluetooth file sharing disabled.
Host-based firewall active,
iptables is a command-line firewall utility that uses policy chains to allow or block traffic. When a connection tries to establish itself on your system, iptables looks for a rule in its list to match it to. If it doesn’t find one, it resorts to the default action.
iptables almost always comes pre-installed on any Linux distribution. To update/install it, just retrieve the iptables package:
sudo apt-get install iptables
Firestarter , but iptables isn’t really that hard once you have a few commands down. You want to be extremely careful when configuring iptables rules, particularly if you’re SSH’d into a server, because one wrong command can permanently lock you out until it’s manually fixed at the physical machine.
Types of Chains
iptables uses three different chains: input, forward, and output.
Input– This chain is used to control the behavior for incoming connections. For example, if a user attempts to SSH into your PC/server, iptables will attempt to match the IP address and port to a rule in the input chain.
Forward– This chain is used for incoming connections that aren’t actually being delivered locally. Think of a router – data is always being sent to it but rarely actually destined for the router itself; the data is just forwarded to its target. Unless you’re doing some kind of routing, NATing, or something else on your system that requires forwarding, you won’t even use this chain.
There’s one sure-fire way to check whether or not your system uses/needs the forward chain.
iptables -L -v
The screenshot above is of a server that’s been running for a few weeks and has no restrictions on incoming or outgoing connections. As you can see, the input chain has processed 11GB of packets and the output chain has processed 17GB. The forward chain, on the other hand, has not needed to process a single packet. This is because the server isn’t doing any kind of forwarding or being used as a pass-through device.
Output– This chain is used for outgoing connections. For example, if you try to ping howtogeek.com, iptables will check its output chain to see what the rules are regarding ping and howtogeek.com before making a decision to allow or deny the connection attempt.
Even though pinging an external host seems like something that would only need to traverse the output chain, keep in mind that to return the data, the input chain will be used as well. When using iptables to lock down your system, remember that a lot of protocols will require two-way communication, so both the input and output chains will need to be configured properly. SSH is a common protocol that people forget to allow on both chains.
Policy Chain Default Behavior
Before going in and configuring specific rules, you’ll want to decide what you want the default behavior of the three chains to be. In other words, what do you want iptables to do if the connection doesn’t match any existing rules?
To see what your policy chains are currently configured to do with unmatched traffic, run the iptables -L command.
As you can see, we also used the grep command to give us cleaner output. In that screenshot, our chains are currently figured to accept traffic.
to deny all input connections and manually specify which ones you want to allow to connect, you should change the default policy of your chains to drop. Doing this would probably only be useful for servers that contain sensitive information and only ever have the same IP addresses connect to them.
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT
With your default chain policies configured, you can start adding rules to iptables so it knows what to do when it encounters a connection from or to a particular IP address or port. In this guide, we’re going to go over the three most basic and commonly used “responses”.
Accept– Allow the connection.
Drop– Drop the connection, act like it never happened. This is best if you don’t want the source to realize your system exists.
Reject– Don’t allow the connection, but send back an error. This is best if you don’t want a particular source to connect to your system, but you want them to know that your firewall blocked them.
The best way to show the difference between these three rules is to show what it looks like when a PC tries to ping a Linux machine with iptables configured for each one of these settings.
Allowing the connection:
Dropping the connection:
Rejecting the connection:
Allowing or Blocking Specific Connections
With your policy chains configured, you can now configure iptables to allow or block specific addresses, address ranges, and ports. In these examples, we’ll set the connections to DROP, but you can switch them to ACCEPT or REJECT, depending on your needs and how you configured your policy chains.
Note: In these examples, we’re going to use iptables -A to append rules to the existing chain. iptables starts at the top of its list and goes through each rule until it finds one that it matches. If you need to insert a rule above another, you can use iptables -I [chain] [number] to specify the number it should be in the list.
Connections from a single IP address
This example shows how to block all connections from the IP address 10.10.10.10.
iptables -A INPUT -s 10.10.10.10 -j DROP
Connections from a range of IP addresses
This example shows how to block all of the IP addresses in the 10.10.10.0/24 network range. You can use a netmask or standard slash notation to specify the range of IP addresses.
iptables -A INPUT -s 10.10.10.0/24 -j DROP
iptables -A INPUT -s 10.10.10.0/255.255.255.0 -j DROP
Connections to a specific port
This example shows how to block SSH connections from 10.10.10.10.
iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -j DROP
You can replace “ssh” with any protocol or port number. The -p tcp part of the code tells iptables what kind of connection the protocol uses. If you were blocking a protocol that uses UDP rather than TCP, then -p udp would be necessary instead.
This example shows how to block SSH connections from any IP address.
iptables -A INPUT -p tcp --dport ssh -j DROP
As we mentioned earlier, a lot of protocols are going to require two-way communication. For example, if you want to allow SSH connections to your system, the input and output chains are going to need a rule added to them. But, what if you only want SSH coming into your system to be allowed? Won’t adding a rule to the output chain also allow outgoing SSH attempts?
That’s where connection states come in, which give you the capability you’d need to allow two way communication but only allow one way connections to be established. Take a look at this example, where SSH connections FROM 10.10.10.10 are permitted, but SSH connections TO 10.10.10.10 are not. However, the system is permitted to send back information over SSH as long as the session has already been established, which makes SSH communication possible between these two hosts.
iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -d 10.10.10.10 -m state --state ESTABLISHED -j ACCEPT
The changes that you make to your iptables rules will be scrapped the next time that the iptables service gets restarted unless you execute a command to save the changes. This command can differ depending on your distribution:
Red Hat / CentOS:
/sbin/service iptables save
List the currently configured iptables rules:
Adding the -v option will give you packet and byte information, and adding -n will list everything numerically. In other words – hostnames, protocols, and networks are listed as numbers.
To clear all the currently configured rules, you can issue the flush command.
lock screen installed/enabled,
auto login disabled,
1.Open /etc/profileand append TMOUTvariable. See my below example
ExportTMOUT=600 # 10 minutes in seconds
typeset -r TMOUT
This will set time-out to 600 sec(ie 10mins)and I have given typeset -rwhichread-onlyand will not allow users to change this.Save the file and exit.
2.By creating /etc/profile.d/sessiontimout.sh file then keeping above mention entries in it.
Export TMOUT=600 # 10 minutes in seconds
typeset -r TMOUT
Now save and exit the file
As this is a script we have to change the permissions too.
#chmod +x /etc/profile.d/sessiontimout.sh
How to accomplish this for individual users?
Ans :We can edit ~/.bashrc file as given below.
Open ~/.bashrc file for a given user and write below two line into it.
Save the file and source it as given below.
any unused services disabled,
check for unused services in init.d with ls /etc/init.d
systemctl list-unit-fileson systemd systems.
file and print sharing disabled
File sharing is disabled by default on most Linux OSs but if samba is installed you may disable it with sudo /etc/init.d/samba stop or sudo systemctl stop samba
OS and apps configured to auto update unless centralized patch management is implemented by the cognizant OSU IT support team,
remote access restricted.
See confidential section