Bare Minimum Windows Desktop* and Laptop System Administration/Setup

 

 

•         Physical Security- Keep doors closed and locked when not in your office.  Lock computers, printers and other IT equipment with wire tie downs (Kensington Locks for Laptops).  Wire tie downs can be obtained from the help desk in MRDC 2103.  Kensington locks can be purchased at most computer stores.  Fill out Property Movement Reports or equipment loan forms when moving computers around.  Don’t leave Laptops in cars or unattended.

 

•         Use Windows XP Pro or 2000 Pro- Microsoft does not support NT, 98, 95 or older anymore.  If possible upgrade to XP.  See if your application vendors have versions of your software that run on these operating systems.  For institute owned systems, upgrades of the OS can be obtained from https://software.oit.gatech.edu/request.php .

 

•         Configure computers behind a firewall- computers can be compromised before the setup/patching process is complete.  Connecting a router/firewall (common brands are Linksys, Netgear, Belkin, 3com) between the computer and the live network is necessary during Windows setup and patching.  After September 1, a router/firewall can be borrowed from the help desk temporarily for computer setup.

 

•         Wireless networking-enable the Wireless Encryption Protocol (WEP).  It is enabled for the GT LAWN and must be enabled for you to connect to the LAWN.  Your own wireless networking should not be set up in GT labs, offices, etc.  The LAWN should be used if wireless is needed. Instructions on configuring this are at http://www.me.gatech.edu/support/computer/LAWN/lawnpage.html .  In addition if you connect to the hard wired network and still have wireless enabled, sometimes Windows XP will “bridge” the Wireless LAN and Ethernet, causing routing loops.  These bridges must be uninstalled from the network control panel.  Also, if you’re configuring your own home networking, MAC (network card) address filtering should be used to only allow people/computers access that you know their MAC address.  

 

•         Change default Passwords-administrator and guest are both blank by default.  Change these.  The guest account should be disabled as well.

 

•         Passwords-passwords should be set to expire after no longer than 90 days.  Use of non-standard or non-alpha-numeric passwords should be enforced.  Non-reuse of last 5 passwords should be enforced.  Screen savers should be enabled and be set to use a password.  Detailed guidelines are at http://www.security.gatech.edu/protection/choosing_passwords.html .

 

•         Don’t use the administrator account.  Most users should be “users” only.  Administrators should create an additional account for themselves which is used only for administrative access.  They should use a normal “user” account on a day to day basis.  Their administrative account should only be used with the “run as” option—hold the shift key down when clicking on a program and select “run as.”  This will minimize the number of Trojans/spy-ware/backdoors that can be installed without the user’s knowledge.

 

•         Obtaining IP addresses for Woodruff School Buildings.  IP address can be requested for Woodruff School buildings on the computer support page, http://www.me.gatech.edu/support/computer.

 

•         Don’t install or enable file and printer sharing software such as ftp, www, E-mail, Windows/Samba file shares, NFS shares.  Appropriate shares are available for most purposes on Woodruff School or OIT servers.   If file sharing is needed only enable on designated computers and enable special security items on those.  See notes/links below about configure computers set to share files, i.e. servers.  File and Printer sharing is usually enabled by default and should be unchecked to disable it in the network control panel.

 

•         Set Windows Update to run Automatically –Windows update should be run completely after setup, and should also be set to auto-update at night.  Note that windows updates sometimes “break” some applications. Thus you might want to set windows to download the updates and prompt you to install.  Then you can test your applications after the install to make sure they still work.  If they don’t you can uninstall the patch and contact the distributor or vendor to see if there is a fix to go along with the patch for your software.  Automatic update settings can be found in the control panel in Windows 2000 or in the System properties control panel under the Automatic Updates tab.

 

•         Install Anti-virus Software – and set to auto-update for virus definitions and software “engines”.  McAfee/NAI is available from OIT at https://software.oit.gatech.edu/request.php for free or you can purchase Norton yourself.  Also it should be set to scan for viruses weekly and enable the system scanning of all files opened, closed, or used.

 

•         Install a Local Firewall-to block outside intrusion attempts.  Windows XP built in firewall works.  Notes on enabling XP firewall are on the Woodruff School help desk page, http://ww.me.gatech.edu/support/computer .  After enabling it, set it to log dropped packets under the security logging tab.  BlackIce defender or ZoneAlarm-(from OIT at https://software.oit.gatech.edu/request.php) are better but are not easy to configure.  OIT has classes on configuring Zone alarm, see http://www.security.gatech.edu/training/.  However the Woodruff school does not support Zone Alarm or BlackIce. 

 

•         Enable auditing and event monitoring-this is for tracking access to the system to help tell if someone breaks into the system.  Details on how to enable this will be posted soon on the Woodruff School computer support page, http://www.me.gatech.edu/support/computer .

 

•         Scan your computer for open ports.  Request that the Woodruff School help desk scan your machine for vulnerabilities and open ports.  The help desk will send you the results and contact you if there are any major vulnerabilities that need to be fixed.    A web page to request a scan and automatically be sent the results will be available soon.

 

•         Run periodic backups of data, weekly full backups, and daily differential backups.  Backups to tape, 2^nd hard drives, CD-RW, or DVD are appropriate.  Periodically (monthly) do a restore of your data to an alternate location, so that you can verify that they backup is working properly.  Information on how to configure this can be found on the Woodruff School help desk page, http://www.me.gatech.edu/support/computer .

 

•         Don’t intall any file, network, or processor sharing or eavesdropping software or hardware such as Kazaa, Morpheus, Napster, Internet Relay Chat, Distributed Computer Screen Savers (SETI, RC5 encryption),  Gator, GAIN, Modems in computers on the network, or Sniffer software.

 

•         Use End to End Encryption whenever possible connecting to other computers, such as SSH-terminal type sessions, SSL-web sessions, SCP/SFTP-file transfer sessions, Encrypted File Systems, PGP-e-mail encryption (future), Certificate based encryption (future).  Some of these are on the Woodruff School help desk page or on OIT’s software distribution page.

 

*These guidelines are for computers meant to be desktop computers only.  If you intend to run a system as a server you should read, be familiar with, and implement procedures contained in http://www.security.gatech.edu/tech_only/windows2000-sbys.pdf   and you should attend the Windows 2000 Security class offered by OIT listed at http://www.security.gatech.edu/training/ .  This includes any system that will be set up to do file sharing, ftp, web, or where any other computers connect to it.

 

Last updated 8/25/2003.