This document defines the baseline standards of care for Information Systems in use at Oregon State University. Baseline standards of care are system configuration and operational practices and procedures designed to protect the confidentiality, integrity, and availability of data housed on those systems.

These classifications are additive, meaning that a device needs to meet the standards of its classification level and those from any less restricted level also. Confidential information has the most restrictions, and unrestricted has the least. The classifications can be viewed here: http://is.oregonstate.edu/ois/data-classification-data-element

Standards of Care for Unrestricted Information:

Access to Unrestricted Information: No restriction for viewing, copying or printing. Departments determine protocol for modification of information.

Mobile Devices

(systems utilizing an operating system designed specifically for mobile devices. Examples would include Android, iOS, Windows Phone, Firefox OS, Sailfish OS, Tizen, Ubuntu Touch OS, Blackberry)

Recommended: Current operating system with updates turned on.

iPhone:

To make sure that your iPhone has the most current operating system you’ll want to go into the Settings app and choose the General settings. Within that you want the Software Update menu. Then from within Settings > General > Software Update you can see if you have the current version or if there is an update available. If there is one simply follow its instructions to download and install it, which may require a restart your phone.

iPad:

Android:

To make sure that your Android has the most current operating system you’ll want to go into the Settings app and choose About phone. Then under that you, select the Software Update menu. Then from within Settings > General > Software Update you can see if you have the current version or if there is an update available. If there is an update simply follow its instructions to download and install it, which will restart your phone.

systemupdate_menu.png

Windows Phone:

Updating

When a software update is available for you to download, Microsoft will notify you so you can download it directly to your phone over a Wi-Fi or cellular data connection. (Your phone will need 3G or greater to download updates over a cellular data connection.)

Before you download and install an update:

  • Charge your phone. We won't perform the update unless your phone has sufficient power.
  • How can I minimize my data usage? to learn more.
  • If you don't have enough storage space on your phone to get an update and you have an SD card inserted in your phone, we might be able to update your phone using the SD card. Support for using your SD card for updating your phone depends on your phone model and manufacturer.
  • Make room on my phone to update it .
How to download updates automatically
  1. > Phone update.
  2. check box.
Note:

Updates won't download if data settings on your phone prevent it. For example, both Data Sense and Battery Saver can limit how your phone uses data. To learn more, see Battery: making it last. (Not all mobile operators offer Data Sense.)

How to check for updates manually
  1. > Phone update.
  2. Tap Check for updates.
Note:

Windows Phone will let you know when new updates are available. If you check manually for an expected update and your phone appears to be up to date, it may be that it isn't available yet for your specific phone, mobile operator, or market.

Tip:

Have a Lumia phone? Check out the Microsoft Mobile Devices websiteto see if there's updated software for your phone model.

How to install an update:
  1. > Phone update, and then tap Download when prompted after checking for updates or receiving an update notification.
  2. Do one of the following:
  • Tap Show details, and then tap Install. Your phone will restart, and then install the update.
  • >Phone update later to install the update.
  • Tap Preferred install time, and then choose a time to install the update. (Scheduling an update is available after updating to Windows Phone 8.1 Update build 8.10.14203.206.)
  1. Note:

  2. It usually takes 5 to 10 minutes to install an update, but it could take longer depending on the number of apps you've got installed on your phone.
  3. After your phone restarts, wait for it to migrate your settings, and then tap Done to finish the update.

http://www.windowsphone.com/en-us/how-to/wp8/basics/how-do-i-update-my-phone-software

Apple OS X systems

Recommended: Patched and officially supported version of the operating system, current antivirus client, and user name and password required for all accounts.

Updating the OS:

To ensure that your operating system is up to date click on the apple icon in the upper left corner of your screen and select “About This Mac”. The following window will open up, in which you then click on “Software Update…”

This will then launch the App Store, where a software update will appear if there is one. Simply hit “Update” next to it to begin the update process. Be aware that this may require your computer to restart.

You can then check that it was successful by opening “About This Mac” again and seeing the new version listed.

Password protection:

To enable or update your password protection settings hit the apple icon in the upper left corner of your screen and select “System Preferences…”. This will open the window below, on which you then want to click “Security & Privacy”.

Within that you want to click on the lock icon in the bottom left corner of the menu, which will prompt you to enter your password, and unlock all of the options.

Now you can change your password, change the time before it’s required, and disable automatic lock.

Antivirus:

If your computer is University owned it should already have System Center Endpoint Protection installed. You can manage the settings and preferences by clicking on the icon in the upper right corner of your screen.

If your computer is not university owned then simply purchase an antivirus software of your choice and follow their instructions to get it set up.

Linux (or similar) systems (end-user workstations)

Recommended:

Patched/current version

Updating the System

There is one thing to understand about updating Linux: Not every distribution handles this process in the same fashion. In fact, some distributions are distinctly different down to the type of file types they use for package management.

  • Ubuntu and Debian use .deb
  • Fedora, SuSE, and Mandriva use .rpm
  • Slackware uses .tgz archives which contain pre-built binaries
  • And of course there is also installing from source or pre-compiled .bin or .package files.

We will cover the Ubuntu and Fedora systems using both the GUI as well as the command line tools for handling system updates.

Ubuntu Linux

Ubuntu uses two different tools for system update:

  • apt-get: Command line tool.
  • Update Manager: GUI tool.

Figure 1: Ubuntu Update Manager.

The Update Manager is a nearly 100% automatic tool. With this tool you will not have to routinely check to see if there are updates available. Instead you will know updates are available because the Update Manager will open on your desktop (see Figure 1) as soon as the updates depending upon their type:

  • Security updates: Daily
  • Non-security updates: Weekly

If you want to manually check for updates, you can do this by clicking the Administration sub-menu of the System menu and then selecting the Update Manager entry. When the Update Manager opens click the Check button to see if there are updates available.

Figure 1 shows a listing of updates for a Ubuntu 9.10 installation. As you can see there are both ImportantSecurity Updates as well as Recommended Updates. If you want to get information about a particular update you can select the update and then click on the Description of updatedropdown.

In order to update the packages follow these steps:

  1. Check the updates you want to install. By default all updates are selected.
  2. Click the Install Updates button.
  3. Enter your user (sudo) password.
  4. Click OK.

The updates will proceed and you can continue on with your work. Now some updates may require either you to logout of your desktop and log back in, or to reboot the machine.

Once all of the updates are complete the Update Manager main window will return reporting that Your system is up to date.

Figure 2: Updating via command line

Now let's take a look at the command line tools for updating your system. The Ubuntu package management system is called apt. Follow these steps to run it:

  1. Open up a terminal window.
  2. Issue the command sudo apt-get update.
  3. Then the command sudo apt-get upgrade.
  4. Enter your user's password.
  5. Look over the list of available updates (see Figure 2) and decide if you want to go through with the entire upgrade.
  6. To accept all updates click the 'y' key (no quotes) and hit Enter.
  7. Watch as the update happens.

That's it. Your system is now up to date. Let's take a look at how the same process happens on Fedora (Fedora 12 to be exact).

Fedora Linux

Fedora is a direct descendant of Red Hat Linux, so it is the beneficiary of the Red Hat Package Management system (rpm). Like Ubuntu, Fedora can be upgraded by:

  • yum: Command line tool.
  • GNOME (or KDE) PackageKit: GUI tool.

Figure 3: GNOME PackageKit.

Depending upon your desktop, you will either use the GNOME or the KDE frontend for PackageKit. In order to open up this tool you simply go to the Administration sub-menu of the System menu and select the Software Update entry. When the tool opens (see Figure 3) you will see the list of updates. To get information about a particular update all you need to do is to select a specific package and the information will be displayed in the bottom pane.

To go ahead with the update click the Install Updatesbutton. As the process happens a progress bar will indicate where GNOME (or KDE) PackageKit is in the steps. The steps are:

  1. Resolving dependencies.
  2. Downloading packages.
  3. Testing changes.
  4. Installing updates.

When the process is complete, GNOME (or KDE) PackageKit will report that your system is update. Click the OK button when prompted.

Now let's take a look at upgrading Fedora via the command line. As stated earlier, this is done with the help of the yum command. In order to take care of this, follow these steps:

Figure 4: Updating with the help of yum.

  1. Open up a terminal window (Do this by going to the System Tools submenu of the Applications menu and select Terminal).
  2. Enter the su command to change to the super user.
  3. Type your superuser password and hit Enter.
  4. Issue the command yum updateand yum will check to see what packages are available for update.
  5. Look through the listing of updates (see Figure 4).
  6. If you want to go through with the update enter 'y' (no quotes) and hit Enter.
  7. Sit back and watch the updates happen.
  8. Exit out of the root user command prompt by typing "exit" (no quotes) and hitting Enter.
  9. Close the terminal when complete.

Your Fedora system is now up to date.

https://www.linux.com/learn/tutorials/234011-linux-101-updating-your-system

Current antivirus client (or equivalent)

Open Source Antivirus

  • ClamAV Antivirus

Free (gratis) version of proprietary Antivirus

  • Comodo Anti-Virus for Linux . 32 and 64-bit releases for 12.04 available.
  • UbuntuGeek . Avast's product key didn't work so we contacted the company & are awaiting their response.
  • Avg in Ubuntu .
  • Avira Linux product will be terminated in June of 2016 for prior existing users.
  • here .
  • here for the updated Panda Cloud Cleaner that is still very useful.)
  • XFProt . I have not tried the GUI front-ends.
  • http://en.wikipedia.org/wiki/Linux_malware#Anti-virus_applications

Username and password required for all accounts.

You can change/make a password with the “passwd” command in a terminal window.

Microsoft Windows (PCs/Workstations)

Recommended: Patched and supported version of the operating system, current antivirus client, username and password required for all accounts.

Patches :In order to make sure your windows workstation is patched open up the start menu. In the search field type in “Windows Update” and click on the program

Patching

Updates_Windows.png

In here you will either see that Windows is up to date or what updates are available to be installed.

Supported versions: As of this writing, anything above windows XP is still supported by Microsoft. Windows Vista support will be dropped 4/11/2017

Antivirus:

Windows 7: On Windows 7 to find out if you have antivirus installed click the start button and enter the control panel. Then click System and Security. There will then be an option to click “Review your computer’s status” in there you will be able to see if you have virus protection or not. NOTE: Some antivirus products don’t report themselves to windows. If you believe that you have antivirus installed simply search for it on your computer and make sure that it runs if it isn’t being reported to windows.

windows_antivirus.png

Server Operating Systems

Linux (or similar), OS X:

Required: Patched and supported version of the operating system, username and complex password required for all accounts, all unused services disabled, system dedicated to server functions only (no web browsing, etc.)

Microsoft Windows:

Required: Patched and supported version of the operating system, current antivirus client, login required by GPO, use of service accounts only, complex passwords with minimum length, system dedicated to server functions only (no web browsing, etc.)

Standards of Care for Sensitive Information:

Required Standards of Care for Sensitive Information includes all recommended and required standards for Unrestricted Information plus:

Access to Sensitive Information:Viewing and modification restricted to authorized individuals with a business need to know. Copying or Printing of Sensitive Information is limited to legitimate need, with copies limited to individuals with a business need to know.

Access to Sensitive Information is assigned by role pursuant to standards approved by the OSU Data Trustee

Mobile Devices

Required: Passcode required, lock screen enabled, notifications on locked screen disabled, device encryption enabled, data on removable devices (SIM, SD card, etc.) encrypted.

Recommended: factory OS intact (jailbreaking or rooting not allowed), Bluetooth file sharing disabled.

Android:

Lock screen

To set a lock screen and passcode perform the following steps. Open the settings app and then enter the security menu. In there select Screen lock. Choose anything other than “None” or “Swipe” this will both enable the lock screen and provide a sufficient passcode.

settings_security.png

Disable notifications on locked screen:

To disable notification on the lock screen enter the settings app and then tap on Sound & notification. In here scroll down until you find the Notification section. Tap on “When device is locked and switch to “Don’t show notifications at all”

notifications.png

Encrypting device

Note: This only applies to devices running Android 5.0 (Lollipop) and above. Some older devices also support encryption but it will be device specific.

To encrypt your device open the settings app and tap on security. There will be an “Encrypt phone” option. Tap on this and then read through the information. Tapping the encrypt phone button will begin the encryption process.

security_menu.png

Encrypting SIM

To encrypt your sim card enter the settings app and then tap on Security. You will find a section called “SIM card lock” Tap this. In this menu tap Lock sim card. You will then be able to change the pin to your choosing.

sim_lock.png

iPhone:

Setting a lock screen and passcode:

To set or change your passcode go into the Settings app and select “Touchscreen & Passcode”. Within that hit “Turn Passcode On” to create one. Of you already had one you’ll be prompted to enter it first. When you choose to turn it on or change it you can choose which type of passcode you’d like. You can do the simple 4-digit numeric code, or opt for a more secure option of setting your own passcode of the length you choose. After setting your new password we recommend testing it out a few times to make sure you remember it.

Notifications on Lock Screen disabled:

To disable notifications on the Lock Screen simply toggle the “Notifications View” switch to deactivate it and any others you’d like turned off.

Encrypting the SIM:

To encrypt the SIM go into the settings app, select Phone, and then SIM PIN. IMPORTANT: The PIN number is network provided and you should not activate the switch without already knowing the PIN!

Windows phone

Required: Passcode required,

Setting or changing a password

Windows Phone 8

  1. From the home screen, tap Settings, and then select lock screen.
  2. Scroll down to "Password". To set a password for the first time, slide the "Password" bar to On.
  3. To change your password, tap change password. Enter your current password in the "Current password" field.
  4. Enter your new password in the "New password" field, and then reenter it in the "Confirm password" field. Tap done.

To set a time limit for the screen timeout, on the "lock" screen, tap the "Screen times out after" field, and then select the time limit you want.

https://kb.iu.edu/d/bcja


lock screen enabled,

notifications on locked screen disabled,

To see notifications when your phone is locked

  1. > Notifications + actions.
  2. Select the Show notifications in action center when my phone is lockedcheck box
device encryption enabled:

To enable the encryption on a Windows Phone 8 or Windows Phone 8.1 device you first have to enable it within a "mobile device mailbox policy" on the Exchange server.

Perform the following steps on your Exchange Server:

  • Connect to the Exchange admin console
  • On the left hand side Go to "mobile"
  • In the windows on the right click on "mobile device mailbox policies"
  • Edit the "Default" policy or create a new one
  • When pressing the "Edit" button a pop up windows appears
  • Click on "security"
  • Enable the checkbox for "Require encryption on device"
  • Save the changes

Perform the following steps on your SMC Server:

  • Connect to the Sophos Mobile Control admin web console
  • Log in to your SMC customer with an administrative user
  • Go to "Profiles | Windows Phone 8"
  • Edit a profile containing your Exchange configuration
  • Press the "Add configuration" button
  • Select "Restrictions" and click "Next"
  • Select the checkbox for "Forbid unencrypted device"
  • Click "Apply"
  • Press "Save"

Now you have configured everything on your Exchange and Sophos Mobile Control server to make sure a Windows Phone 8 device is using the built-in encryption functionality.

Please be aware that there won't be any progress shown indicating the encryption on the mobile device.

How to verify if encryption is turned on on the mobile device

  • On the Windows Phone 8 device, open "Settings"
  • Open "storage sense"
  • An overview will be shown regarding your storage usage
  • Below the "phone" section the amount of used space is shown e.g. like this "2.80 GB used, encrypted"
  • The "encrypted" indicates that encryption is active. If "encryption" is missing the encryption functionality is not used

https://www.sophos.com/en-us/support/knowledgebase/122752.aspx

data on removable devices (SIM, SD card, etc.) encrypted.

Recommended: factory OS intact (jailbreaking or rooting not allowed), Bluetooth file sharing disabled.

Apple OS X

Required: Host-based firewall active, lock screen enabled, auto login disabled, unused services disabled, file and print sharing disabled, OS and applications configured for auto update unless centralized patch management is implemented by the cognizant OSU IT support team, password complexity enabled, remote access restricted.

Recommended: Gatekeeper enabled and configured to allow applications from App Store and Identified Developers only,

For all of the following you’ll want to click the apple icon in the upper left corner and select the “System Preferences…” menu.
Firewall:

To turn the firewall on select “Security & Privacy” and click the Firewall tab. The click the lock in the bottom corner and enter your password to allow changes. Once that’s done you can select “Turn On Firewall” and the icon should turn green, indication it is now on.

Disabling Unused startup services:

To disable services you don’t need to launch upon startup, select the “Users & Groups” menu and uncheck any ones you don’t want.

Disabling Printer and File Sharing:

To disable the sharing of devices and data, go to the “Sharing” menu and deselect any that may be turned on.

Auto-update:

To configure auto-updates choose the “App Store” menu and make sure that “Automatically check for updates” is checked.

Gatekeeper to allow App Store and Identified Developers only:

Under the “Security & Privacy” menu, in the “General” tab, make sure that the “Mac App Store and identified developers” radio button is selected.

Linux (or similar) workstations

Required:

Host-based firewall active,

About iptables

iptables is a command-line firewall utility that uses policy chains to allow or block traffic. When a connection tries to establish itself on your system, iptables looks for a rule in its list to match it to. If it doesn’t find one, it resorts to the default action.

iptables almost always comes pre-installed on any Linux distribution. To update/install it, just retrieve the iptables package:

sudo apt-get install iptables

Firestarter , but iptables isn’t really that hard once you have a few commands down. You want to be extremely careful when configuring iptables rules, particularly if you’re SSH’d into a server, because one wrong command can permanently lock you out until it’s manually fixed at the physical machine.

Types of Chains

iptables uses three different chains: input, forward, and output.

Input– This chain is used to control the behavior for incoming connections. For example, if a user attempts to SSH into your PC/server, iptables will attempt to match the IP address and port to a rule in the input chain.

Forward– This chain is used for incoming connections that aren’t actually being delivered locally. Think of a router – data is always being sent to it but rarely actually destined for the router itself; the data is just forwarded to its target. Unless you’re doing some kind of routing, NATing, or something else on your system that requires forwarding, you won’t even use this chain.

There’s one sure-fire way to check whether or not your system uses/needs the forward chain.

iptables -L -v

The screenshot above is of a server that’s been running for a few weeks and has no restrictions on incoming or outgoing connections. As you can see, the input chain has processed 11GB of packets and the output chain has processed 17GB. The forward chain, on the other hand, has not needed to process a single packet. This is because the server isn’t doing any kind of forwarding or being used as a pass-through device.

Output– This chain is used for outgoing connections. For example, if you try to ping howtogeek.com, iptables will check its output chain to see what the rules are regarding ping and howtogeek.com before making a decision to allow or deny the connection attempt.

The caveat

Even though pinging an external host seems like something that would only need to traverse the output chain, keep in mind that to return the data, the input chain will be used as well. When using iptables to lock down your system, remember that a lot of protocols will require two-way communication, so both the input and output chains will need to be configured properly. SSH is a common protocol that people forget to allow on both chains.

Policy Chain Default Behavior

Before going in and configuring specific rules, you’ll want to decide what you want the default behavior of the three chains to be. In other words, what do you want iptables to do if the connection doesn’t match any existing rules?

To see what your policy chains are currently configured to do with unmatched traffic, run the iptables -L command.

As you can see, we also used the grep command to give us cleaner output. In that screenshot, our chains are currently figured to accept traffic.

to deny all input connections and manually specify which ones you want to allow to connect, you should change the default policy of your chains to drop. Doing this would probably only be useful for servers that contain sensitive information and only ever have the same IP addresses connect to them.

iptables --policy INPUT DROP

iptables --policy OUTPUT ACCEPT

iptables --policy FORWARD ACCEPT

Connection-specific Responses

With your default chain policies configured, you can start adding rules to iptables so it knows what to do when it encounters a connection from or to a particular IP address or port. In this guide, we’re going to go over the three most basic and commonly used “responses”.

Accept– Allow the connection.

Drop– Drop the connection, act like it never happened. This is best if you don’t want the source to realize your system exists.

Reject– Don’t allow the connection, but send back an error. This is best if you don’t want a particular source to connect to your system, but you want them to know that your firewall blocked them.

The best way to show the difference between these three rules is to show what it looks like when a PC tries to ping a Linux machine with iptables configured for each one of these settings.

Allowing the connection:

Dropping the connection:

Rejecting the connection:

Allowing or Blocking Specific Connections

With your policy chains configured, you can now configure iptables to allow or block specific addresses, address ranges, and ports. In these examples, we’ll set the connections to DROP, but you can switch them to ACCEPT or REJECT, depending on your needs and how you configured your policy chains.

Note: In these examples, we’re going to use iptables -A to append rules to the existing chain. iptables starts at the top of its list and goes through each rule until it finds one that it matches. If you need to insert a rule above another, you can use iptables -I [chain] [number] to specify the number it should be in the list.

Connections from a single IP address

This example shows how to block all connections from the IP address 10.10.10.10.

iptables -A INPUT -s 10.10.10.10 -j DROP

Connections from a range of IP addresses

This example shows how to block all of the IP addresses in the 10.10.10.0/24 network range. You can use a netmask or standard slash notation to specify the range of IP addresses.

iptables -A INPUT -s 10.10.10.0/24 -j DROP

or

iptables -A INPUT -s 10.10.10.0/255.255.255.0 -j DROP

Connections to a specific port

This example shows how to block SSH connections from 10.10.10.10.

iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -j DROP

You can replace “ssh” with any protocol or port number. The -p tcp part of the code tells iptables what kind of connection the protocol uses. If you were blocking a protocol that uses UDP rather than TCP, then -p udp would be necessary instead.

This example shows how to block SSH connections from any IP address.

iptables -A INPUT -p tcp --dport ssh -j DROP

Connection States

As we mentioned earlier, a lot of protocols are going to require two-way communication. For example, if you want to allow SSH connections to your system, the input and output chains are going to need a rule added to them. But, what if you only want SSH coming into your system to be allowed? Won’t adding a rule to the output chain also allow outgoing SSH attempts?

That’s where connection states come in, which give you the capability you’d need to allow two way communication but only allow one way connections to be established. Take a look at this example, where SSH connections FROM 10.10.10.10 are permitted, but SSH connections TO 10.10.10.10 are not. However, the system is permitted to send back information over SSH as long as the session has already been established, which makes SSH communication possible between these two hosts.

iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --sport 22 -d 10.10.10.10 -m state --state ESTABLISHED -j ACCEPT

Saving Changes

The changes that you make to your iptables rules will be scrapped the next time that the iptables service gets restarted unless you execute a command to save the changes. This command can differ depending on your distribution:

Ubuntu:

sudo /sbin/iptables-save

Red Hat / CentOS:

/sbin/service iptables save

Or

/etc/init.d/iptables save

Other Commands

List the currently configured iptables rules:

iptables -L

Adding the -v option will give you packet and byte information, and adding -n will list everything numerically. In other words – hostnames, protocols, and networks are listed as numbers.

To clear all the currently configured rules, you can issue the flush command.

iptables -F

http://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/

lock screen installed/enabled,

auto login disabled,

1.Open /etc/profileand append TMOUTvariable. See my below example

ExportTMOUT=600 # 10 minutes in seconds

typeset -r TMOUT

This will set time-out to 600 sec(ie 10mins)and I have given typeset -rwhichread-onlyand will not allow users to change this.Save the file and exit.

2.By creating /etc/profile.d/sessiontimout.sh file then keeping above mention entries in it.

Export TMOUT=600 # 10 minutes in seconds

typeset -r TMOUT

Now save and exit the file

As this is a script we have to change the permissions too.

#chmod +x /etc/profile.d/sessiontimout.sh

How to accomplish this for individual users?

Ans :We can edit ~/.bashrc file as given below.

Open ~/.bashrc file for a given user and write below two line into it.

TMOUT=600

export TMOUT

Save the file and source it as given below.

source ~/.bashrc

http://www.linuxnix.com/how-to-auto-logout/

any unused services disabled,

check for unused services in init.d with ls /etc/init.d

systemctl list-unit-fileson systemd systems.

file and print sharing disabled

File sharing is disabled by default on most Linux OSs but if samba is installed you may disable it with sudo /etc/init.d/samba stop or sudo systemctl stop samba

OS and apps configured to auto update unless centralized patch management is implemented by the cognizant OSU IT support team,

remote access restricted.

See confidential section

Microsoft Windows (PCs/Workstations)

Required: Host-based firewall active, lock screen enabled, auto login disabled, unused services disabled, file and print sharing disabled, OS and apps configured to auto update (or suitable alternative), remote access restricted.

Firewall:

To check if your firewall is active in windows enter the Control Panel and type in “Windows Firewall” Under the Control Panel section select Windows Firewall. You will then be presented with the present state of your Windows firewall. If you have a firewall provided by another antivirus product you will need to look up with that product how to check if your firewall is active.

windows_firewall.png

Lock screen enabled:

To make sure the authentic windows login screen appears turn on requiring ctrl-alt-delete to be pressed. To do this Bring up the startmenu and go into control panel. Then click on user accounts, then again on user accounts. As an admin you will then be presented with the option to manage user accounts, click on this. Under the advanced tab you can then enable secure logon by clicking on the check box that says “Require users to to press Ctrl+Alt+Delete”

ctrl_alt_delete.PNG

Auto Login:

To disable autologin on a windows machine first open the start menu and then enter the control panel. Then in the Control Panel click on User Accounts. Again click on User Accounts and then Manage User Accounts. In this window if there is the option for autologin there will be a check box near the top of the screen with the text “Users must enter a username and password to use this computer”. Check this box to disable autologin. If this checkbox doesn’t exist autologin is already permanently disabled.

auto_login.PNG

File and Printer sharing:

To disable file and printer sharing Go to Start > Control Panel > Network and Internet > Network and Sharing Center and click the link for Advanced sharing settings. On this page make sure to Turn off file and printer sharing. Also make sure to turn off public folder sharing and network discovery.

sharing.PNG

Windows auto-update:

To enable windows autoupdating: Start> Control Panel > Turn automatic updating on or off (Under Windows Update). In here change the value to Install updates automatically

auto_update.PNG

Remote access:

In order to change settings related to remote acces: Start > Control Panel > System and Security > System > Remote Settings. To Disable Remote assitance you can uncheck the box at the top and then also select “Don’t allow connections to this computer to disable Remote Desktop. If remote access is a must you must then select Allow connection only from computer running Remote Desktop with Network Level Authentication and then select the users that can use remote access, limiting selections to only those that need it.

remote_desktop.PNG

Server Operating Systems

Linux (or similar), OS X:

Required: Remote access restricted, remote root login disabled, insecure connection services (Telnet, FTP, etc.) restricted, latest stable service software installed (SSH, TLS, etc.), host-based firewall active with unneeded traffic disabled (IPTables or equivalent), access lockout if available from off campus (fail2ban or equivalent), password age and complexity enabled, authentication and security logs enabled with logs retained for a minimum of one month (use of logrotate encouraged), specific logs for server application (mail, web server, dbase) enabled and retained, quarterly vulnerability scan performed and found vulnerabilities addressed. Transmission of sensitive information requires the use of TLS v 1.1 or higher.

Recommended: located behind physical firewall or equivalent device.

Microsoft Windows:

Required: Network Level Authentication for Remote Desktop Services (via GPO), Local admin account (and any other well known SIDs) disabled, host-based firewall active with unneeded traffic disabled, password complexity/age enforced by local or GPO, unused services disabled, automated security updates subject to GPO, auditing enabled and security and system logs retained for a minimum of one month, specific logs for server applications (exchange, mssql, etc.) enabled and retained, quarterly vulnerability scan and found vulnerabilities addressed. Transmission of sensitive information requires the use of TLS v 1.1 or higher.

Recommended: located behind physical firewall or equivalent device.

Standards of Care for Confidential Information:

Standards of Care for Confidential Information includes all recommendations and requirements for Unrestricted Information and Sensitive Information plus:

Access to Confidential Information:Viewing and modification restricted to authorized individuals with a business need to know. Copying or Printing of Confidential Information is limited to legitimate need, with copies limited to individuals with a business need to know, and must be labeled “Confidential.” A signed confidentiality agreement is required, both for accessing and viewing confidential information in any format.

Access to Confidential Information is assigned by role pursuant to standards approved by the OSU Data Trustee

Storage of Confidential Information on Paper or other physical media:Physical access to paper documents containing confidential information must be restricted to those who need the information to perform their responsibilities. Appropriate physical security, including door and cabinet locks, must be implemented.

Network Security:Systems housing or regularly accessing Confidential Information must be in isolated network segments, protected with a physical firewall or equivalent using a “default deny” rule set; firewall rule sets, including changes, must be approved by the Office of Information Security. An Intrusion Detection System (IDS) hosted by the Office of Information Security must monitor this segment. Systems within these segments cannot be visible to the entire Internet, nor to unprotected subnets. An inventory of systems authorized to be on that subnet will be kept and the subnet regularly scanned/monitored for unauthorized systems. The Office of Information Security will perform authenticated vulnerability scan of these networks quarterly and will inform cognizant support teams of scan results requiring corrective action; vulnerabilities will be addressed during the next normal patching cycle unless other remediation is established or an exception granted.

Transmission of Confidential Information: Under no circumstances shall Confidential Information be transmitted across an unsecured network in clear text. In particular, it should be noted that email is not by default an encrypted means of transmission and any Email containing confidential information is subject to this restriction.

For the occasional transfer of data via email, file attachments should be encrypted using, at a minimum, an 128-bit symmetric-key algorithm, such as the Advanced Encryption Standard (AES). Microsoft Office encryption meets this standard. Key (password) sharing must be through a different mechanism than that used for transmission, such as a phone call.

For departments that have a business need to transfer confidential information on a regular basis via email, the use of a program that utilizes both symmetric and asymmetric key encryptions, such as PGP or equivalent, is strongly recommended.

Mobile Devices

Required: University-owned device, Locked screen after 5 minutes of inactivity, long passcode, 256-bit symmetric-key device encryption, device must wipe data after 10 failed attempts, the device should have a durable physical or electronic label (or appearing on the lock screen) with contact information sufficient to facilitate an expedient return in the event that a lost device is found, use of sandboxed OS/desktop or sandboxed app for accessing the data or other similar means where the data is never stored on the mobile device, SIM card lock/PIN, location services off, disable cloud synchronization for passwords and data, syncing and backup to university-owned machines only, remote wipe enabled, use of public wireless networks prohibited.

iPhone:

Wipe Data after 10 Attempts:

Simply toggle the “Erase Data” switch.

Location Services Off:

To turn off Location services select the “Privacy” menu in the Settings app. Then hit “Location Services” at the top of that menu. Then simply toggle the switch to turn off all location services.

Android:

Lock screen after 5 minutes of inactivity:

In order to set your lock screen timeout launch the settings app. Then tap Display. In display you can set the Sleep setting. This must be after 5 minutes or less.

timeout.png

Wipe after failed login attempts:

This functionality is not built into android. However some devices like the samsung galaxy S5 have this built in but any device can install the app Locker and set it up to wipe after failed logins with the following tutorial http://nexus5.wonderhowto.com/how-to/make-your-android-auto-wipe-your-data-when-stolen-0157407/

Turn off location services:

To turn off location services enter the settings app and then Tap Location. You will be presented with a screen with a toggle on top. Toggle to off to disable location on the device.

timeout.png

Turn off cloud synchronization:

To turn off cloud syncronization on an android device open the settings app and then tap on Backup & reset. In here you can tap on “Back up my data” and turn it to off in order to disable the synchronization.

backup.png

Enabling remote lock:

Following the instructions at :https://support.google.com/accounts/answer/3265955?hl=enyou can use Android device manager to setup and manage remote wiping of your device

256-bit symmetric key encryption: Android encryption currently only support 128-bit encryption (https://source.android.com/security/encryption/)

Windows phone

Required: University-owned device,

Locked screen after 5 minutes of inactivity:

http://ccm.net/faq/35158-windows-phone-8-configure-the-screen-timeout-settings

long passcode, 256-bit symmetric-key device encryption

See

device must wipe data after 10 failed attempts,

By default

the device should have a durable physical or electronic label (or appearing on the lock screen) with contact information sufficient to facilitate an expedient return in the event that a lost device is found,

use of sandboxed OS/desktop or sandboxed app for accessing the data or other similar means where the data is never stored on the mobile device,

SIM card lock/PIN

To turn on SIM security

  1. > Call settings.
  2. Turn on SIM security.
  3. When prompted to Enter SIM PIN, enter the PIN for your SIM card by doing one of the following:
  • If this is the first time a PIN has been set for the SIM card in your phone, try typing 1234, and then tap Enter. 1234is a common default PIN for some SIM cards. If that PIN doesn't work, contact your mobile operator for the correct default PIN.
  • If you previously set a PIN for the SIM card in your phone (even if the SIM card was in another phone when you did it), type your PIN, and then tap Enter. The message SIM PIN enableddisplays briefly.

http://www.windowsphone.com/en-us/how-to/wp7/basics/use-a-pin-to-lock-my-sim-card

Location services off

To turn location services on or off

  1. > Location.
  2. on or off.

http://www.windowsphone.com/en-us/how-to/wp8/apps/location-awareness-and-my-phone

disable cloud synchronization for passwords and data,

syncing and backup to university-owned machines only, remote wipe enabled, use of public wireless networks prohibited.

Enabled with exchange

Apple OS X

Required: University-owned device, 256-bit symmetric-key full-disk encryption (FileVault or equivalent), Locked screen saver after 15 minutes of inactivity, all sharing disabled, infrared port disabled, remote management for authorized accounts (OSU IT) only, Firmware password, remote access restricted, use of administrator account for day-to-day access prohibited, require administrator password to access system preferences and install software, password complexity and length (min. of 14 characters), password rotation, Quarterly vulnerability scan and found vulnerabilities addressed.

Full disk encryption:

Administrator password to access system preferences and install software AND logout after 15 minutes:

To require the admin password select the “Advanced…” button at the bottom of the “Security & Privacy” page and check the box for it. Do the same for the automatic logout, and be sure to set it to at most fifteen minutes.

Linux (or similar) workstations

Required: University-owned device, 256-bit symmetric-key full-disk encryption

Full disk encryption is enabled at the time of installation, and cannot be enabled after the OS install has completed.

Locked screen saver after 15 minutes of inactivity, all sharing disabled

infrared port disabled
  1. Open a terminal
  2. run: for device in $(ls /sys/bus/usb/devices/*/product); do echo -n $device " ";cat $device;done
  3. look for the line containing "IR Receiver", in my case: /sys/bus/usb/devices/2-1.1/product IR Receiver The string you need from this step is "2-1.1"
  4. sudo emacs /etc/rc.local
  5. add this line right before "exit 0", repacing "2-1.1" with whatever you found in step 3): echo "2-1.1" |tee /sys/bus/usb/drivers/usb/unbind
  6. save and reboot
remote management for authorized accounts (OSU IT) only

BIOS password

  1. Power on the system. As soon as the first logo screen appears, immediately press the F2 key, or the DEL key if you have a desktop, to enter the BIOS.
  2. Use the arrow keys to navigate to Security or BIOS Security Features.
  3. Highlight Set Supervisor Password or Change Supervisor Password and press the ENTER key.
  4. You will be prompted to enter a password, and a second time to verify it. To create the password, use only alphanumeric characters like A-Z, a-z, 0-9.
  5. Press ENTER to confirm password creation.
  6. A message will appear stating Changes have been saved. Press ENTER to continue.
  7. Press the F10 key to save changes and restart the system.

Remote access restricted

Use public/private key pairs for authentication instead of passwords.

Generate a passphrase-protected SSH key for every computer that needs to access the server:

ssh-keygen

Permit public-key SSH access from the allowed computers:

Copy the contents of ~/.ssh/id_rsa.pub from each computer into individual lines of ~/.ssh/authorized_keys on the server, or run ssh-copy-id [server IP address] on every computer to which you are granting access (you'll have to enter the server password at the prompt.)

Disable password SSH access:

Open /etc/ssh/sshd_config, find the line that says #PasswordAuthentication yes, and change it to PasswordAuthentication no. Restart the SSH server daemon to apply the change (sudo service ssh restart.)

Now, the only possible way to SSH into the server is to use a key that matches a line in ~/.ssh/authorized_keys. Using this method, I don't care about brute force attacks because even if they guess my password, it will be rejected. Brute-forcing a public/private key pair is impossible with today's technology.

use of administrator account for day-to-day access prohibited

Never login as Root, always use sudo for anything that requires administrative access.

require administrator password to access system preferences and install software

password complexity and length (min. of 14 characters)

To change your password in Linux execute the following command:

passwd

Password rotation

To require password changes every 180 days (6 months) you can run this command on any Linux machine.

sudo chage -M 180 [username]

Quarterly vulnerability scan and found vulnerabilities addressed:

Install Lynis and run a check on the system, address all warnings and errors. Adhere to all of the suggestions at the end of the report.

Microsoft Windows (PCs/Workstations)

Required: University-owned device, 256-bit symmetric-key full-disk encryption (Bitlocker or equivalent), locked screen saver after 15 minutes of inactivity, all sharing disabled, infrared port disabled, centralized remote management for authorized accounts (OSU IT) only, BIOS password, remote access restricted, use of administrator account for day-to-day access prohibited, require administrator password to access system preferences and install software, password complexity and length (min. of 14 characters), password rotation, Quarterly vulnerability scan and found vulnerabilities addressed.

Encryption:

The recommended way to encrypt a windows machine is with Bitlocker. If you are using a Professional version of Windows Bitlocker is included in Windows.

To see if you have bitlocker already search for “Bitlocker” in the startmenu. If it is there click on it. You will be brought to a page where you can turn on bitlocker for any particular drive.

clicking turn on bitlocker will begin the process of encrypting the drive.

Locked Screensaver:

To turn on a locked screensaver after 15 minutes perform the following steps.

Open the start menu and go to the control panel. Go to Appearance and Personalization and the Personalization. Then click on screensaver in the bottom right

Sharing:

To disable all sharing on windows follow the same steps as for disabling file and printer sharing on windows but also in the same window turn off public folder sharing and media streaming.

BIOS password:

Enabling a BIOS password on a machine is different for every bios. But in order to get to those settings you have to convince windows to let you boot into the BIOS. To do this typically you need to be pressing F2 during boot although the key could change based on the manufacturer.

screensaver.PNG

After clicking there you will be presented with options. Make sure to select the time to be 15 minutes and make sure to check the box that prompts for a login when resuming.

timing_saver.PNG

Server Operating Systems

Virtual Server Environments: All security controls apply both to the host and guest virtual machines in a virtual server environment. Cannot share the same virtual host environment with guest servers of other security classifications.

Physical Security: Must be hosted in a secure Data Center with Physical Access monitored, logged and limited to authorized individuals 24x7.

Backup Media:All backup media must be encrypted. If stored off-site, a secure location is required.

Linux (or similar), OS X:

Required: Field level encryption for protected fields in database, removable back-up media encrypted using 256-bit symmetric-key encryption, monthly authenticated vulnerability scans performed by Office of Information Security, authentication and security logs retained for six months and made available to Office of Information Security, found vulnerabilities addressed within normal maintenance windows or sooner (based on criticality,) annual security audit. Transmission of confidential information requires the use of TLS v 1.2 and cannot use self-signed certificates.

Recommended: system administrators must possess enterprise-level certification, or an equivalent combination of training and experience, for the operating system version in use. Host-based software IDS/IPS.

Microsoft Windows:

Required: Field level encryption for protected fields in database, removable backup media encrypted using 256-bit symmetric-key encryption, use of Best Practice Analyzer, security and system logs retained for six months and made available to Office of Information Security, monthly authenticated vulnerability scans performed by Office of Information Security, found vulnerabilities addressed within normal maintenance windows or sooner, based on criticality, annual security audit. Transmission of confidential information requires the use of TLS v 1.1 and cannot use self-signed certificates.

Recommended: system administrators must possess enterprise-level certification, or an equivalent combination of training and experience, for the operating system version in use, host-based software IDS/IPS.