Server

Securing Your Computer

Securing Your Computer

This section provides information about all the software and instruction necessary to comply with the Desktop and Portable Computer Standard. The software on this page is intended for use by students, faculty, and staff at RIT. Inexperienced/non-technical users may want to check out our Digital Self Defense 101 Workshop, which explains the dangers of the Internet and RIT security requirements in greater detail.

Note: You do not have to use the specific software listed on this page. However, you should meet the requirements of the Desktop and Portable Computer Standard for your computer

Anti-Virus

RIT has licensed McAfee VirusScan software (available on the ITS Security & Virus Protection website) for use by students, faculty, and staff on  personally-owned computers. RIT-owned Windows computers will receive McAfee HIPS (Host Intrusion Prevention Software).

It is not necessary to use this particular anti-virus; if you prefer, you may use any of the following products.








Product

License

Company

ClamAV (Linux)

Free for personal use

Open Source

ClamXAV2 (Mac)

Free for personal use

Open Source

Norton Anti-Virus

One year paid subscription

Symantec

Trend Micro Anti-Virus

One year paid subscription

Trend Micro

avast! Anti-Virus

Free for personal use

ALWIL Software

AVG Anti-Virus

Free for personal use

Grisoft

Anti-Spyware

This should already be built into current anti-virus software.  A separate program is not needed.

Firewalls

Windows 7, Vista, XP, and Mac OS X all come with built-in firewalls; Resnet provides instructions on how to configure these built-in firewalls. If you do not want to use this firewall, RIT recommends the basic ZoneAlarm free firewall for Windows users Other firewall options may be provided by your Internet Service Provider. 

Patching/Updating

Regardless of what operating system you run, it should be up-to-date on all security patches; the easiest way to do this is to turn on the automatic update feature. Learn how to enable automatic updates for Windows and keep your Mac up-to-date automatically

Users of other operating systems such as Linux, Unix, etc., are also required to keep their operating systems up-to-date on security patches.

Software Applications should also be kept up-to-date. This can usually be done from within the program itself or through the vendor's website; some programs have an automatic update feature. Use the links below to find updates for Microsoft, Apple, and Adobe software.

ISO-Approved Private Information Management Software

  • Identify Finder (Windows, Mac)
  • Cornell Spider (Linux only)

Client Input Filtering Practices

Client Input Filtering Practices

Client input filtering is needed to prevent specific attacks

Cross Site Scripting (XSS)

Cross-site scripting vulnerabilities allow malicious attackers to take advantage of web server scripts written in languages such as PHP, ASP, .NET, Perl or Java that do not adequately filter data sent along with page requests to inject JavaScript or HTML code that is executed on the client-side browser. These flaws occur anywhere a web application uses input from a user in the output it generates without validating it. Any type of variable that comes from a user or comes from a place where you do not control needs to be validated. This malicious code will appear to come from your web application when it runs in the browser of an unsuspecting user.

Note: SSL connectivity does not protect against this issue.

Best practices for prevention

In general, the following practices should be followed while developing dynamic web content:

  • Audit the affected URL and other similar dynamic pages or scripts that could be relaying untrusted malicious data from the user input.
  • If you are displaying user supplied input, the data should be displayed by a function that either escapes or converts the data into appropriate HTML.
  • Explicitly set the character set encoding for each page generated by the web server
  • Identify special characters
  • Encode dynamic output elements
  • Filter specific characters in dynamic elements
  • Examine cookies
  • For ASP.NET applications, the validateRequest attribute can be added to the page or the web.config. For example:
<>·

OR

 <system.web>
        <pages validateRequest="true" />
 </system.web>
  • Dynamic content should be HTML encoded using HTML::Entities::encode or Apache::Util::html_encode (when using mod_perl).
  • For PHP applications, input data should be validated using functions such as strip_tags and utf8_decode.
  • For PERL applications, input data should be validated using regular expressions whenever possible.

References

 

SQL Injection

Web applications that do not properly sanitize user input before passing it to a database system are vulnerable to SQL injection. This could potentially allow a malicious user to read and/or modify any data that the application has access to.

Best Practices for Prevention

  • Ensure that the script properly validates user input before passing it to the underlying database system.
  • Avoid accessing external interpreters wherever possible.
  • Use bind variables wherever possible. If not, escape all user variables.
  • Use pattern matching to verify user input is an expected value.
  • Limit access to the web account that is accessing the database.
  • Use procedures to insert records and update data; do not give the application direct access to the tables.
  • Limit application to READ-only access where possible.

References

Requirements for Students

Requirements for Students

 









Standard

When does it apply?

Desktop and Portable Computer Standard

Always

Password Standard

Always

Signature Standard

Always - All authentic RIT communications should include an appropriate signature as per the standard. Make it a habit to check for an authentic signature when receiving messages from RIT.

Web Security Standard

If you have a web page at RIT, official or unofficial, and you:

  • Host or provide access to Confidential information. If you’re hosting or providing access to Private information, contact us at infosec@rit.edu immediately. Private or confidential information is defined in the Information Access and Protection Standard.
  • Use RIT authentication services

Computer Incident Handling Standard

If the affected computer or device:

  • Contains Private or Confidential information
  • Poses a threat to the Institute network

Network Security Standard

If you own or manage a device that:

  • Connects to the centrally-managed Institute network infrastructure
  • Processes Confidential information. If you’re providing access to Private information, contact us at infosec@rit.edu immediately.

Portable Media Standard

If you are storing Private or Confidential information on portable media, such as USB keys, CDs, DVDs, and flash memory.

Networking Devices

  • Currently, personal networking devices used on the RIT residential network (such as routers, switches, etc.) do not need to meet the Network Security Standard. Resnet has created separate guidelines for Using a Router/Wireless Router on the RIT Network.

Safe Practices

  • Visit our Keeping Safe section to find security resources and safe practices and to see our schedule of upcoming workshops.

Questions

If you have questions or feedback about specific information security requirements, please contact us.

Forms, Checklists, and Templates

Forms, Checklists, and Templates

Many forms and checklists below are provided as Adobe PDF Fill-in forms and can be filled in and printed from Acrobat Reader. 

NOTE: these forms may contain Javascript. If you need a different format, please contact the RIT Information Security Office at Infosec@rit.edu or call 585-475-4123.

Form Name

Use

Exception Request Form

To request an exception from an RIT Security Standard (PDF Fill-In form)

Non Disclosure Agreement (NDA)

Optional NDA used at department discretion

RIT Systems Support Personnel Non Disclosure Agreement

Required for all systems support personnel

 

Checklist Name

Use

Desktop and Portable Computer Checklist General User

Compliance checklist for use by self-supported faculty, staff, and students.

Desktop and Portable Computer Checklist ITS-Supported Users Compliance checklist for use by ITS-supported faculty, staff, and students. (1/23/13)

Desktop and Portable Computer Checklist Systems Support

Systems support personnel compliance checklist for computers they support.

Server Security Checklist

Compliance checklist for use with the Server Security Standard

Network Security Checklist

Compliance checklist for use with the Network Security Standard

Web Standard Compliance Checklist

Compliance checklist for use with the Web Security Standard

Account Management Checklist (coming soon) Compliance checklist for use with the Account Management Standard

 

Template Name

Use

MSWord RIT Confidential Template

For general marking of Confidential Information

MSWord RIT Internal Use Only Template

For general marking of Internal Information

Information Access and Protection Inventory Template (MS Excel)

For department use in creating an information inventory for Information Access and Protection.

 

Host Intrusion Prevention (RIT-owned/leased computers only)

Host Intrusion Prevention (RIT-owned/leased computers only)

Note: This requirement applies only to RIT-owned and leased computers. There is currently no requirement for personally-owned machines to run host intrusion prevention.

Currently, personal networking devices used on the RIT residential network (such as routers, switches, etc.) do not need to meet the Network Security Standard. Resnet has created separate guidelines for Using a Router/Wireless Router on the RIT Network.

The following products have all been tested by the Information Security Office and approved for use on RIT-owned/leased computers.

Recommended Host-based Intrusion Prevention Software

Server

Program

Description

OSSEC

Open source intrusion detection (multiple platforms) (ISO-tested). Active protection feature must be enabled.

McAfee HIPS

Desktop and server intrusion prevention (Windows) (ISO-tested)

Bit9

Application whitelisting (Windows) (non ISO-tested)

Cimcor

Protects against unauthorized changes (Server and Network) (non ISO-tested)

Tripwire (commercial version)

Configuration assessment and change auditing (Desktops and Servers; VMware coming) (non ISO-tested)

Desktop

Program

Description

OSSEC

Open source intrusion detection (multiple platforms) (ISO-tested). Active protection feature must be enabled.

McAfee HIPS

Desktop intrusion prevention (Windows) (ISO-tested)

Comodo

Internet Security Suite (ISO-tested)

Online Armor - Tall - Emu

Firewall (ISO-tested)

E-mail us at infosec@rit.edu if you have any questions or suggestions.

Pages

Subscribe to RSS - Server