1. Use groups and permissions
Groups and permissions are a technical aspect of the filesystem inherited from Unix systems, but they're still useful. Each user can be a member of any number of groups, and a group is just a special kind of user.
Most distros use groups to restrict access to specific hardware. It's a file, folder or device's permissions that configure how that device could be accessed. Right-click on the file in a file manager, and click on Properties to see its permissions. Then change the parameters to restrict access to key files and devices.
2. Check for unused accounts
If you've been using your current installation for some time, the chances are you've created more than one user account. This could have been to accommodate other people who use your machine, but it could also be to satisfy installation requirements for applications.
The SqueezeCenter media streaming tool, for instance, needs to be run from its own user account. This is both good and bad. It ensures that applications such as SqueezeCenter have complete control over their own files and processes and, if the worst happens, those processes can only ever damage their own files. However, it becomes easy to lose track of how many users you have, and each of those accounts has some kind of access to your system.
If you're running an SSH server, for example, it may be possible for a hacker to connect to SqueezeCenter's account without your knowledge. Most distributions include their own user management tool.
3. Don't use root for everything
One of the defining characteristics that differentiates Linux from Windows is that standard user accounts can't destroy the integrity of the operating system - you have to be running as the system administrator to do that.
Even though you may routinely use the root account for system administration tasks, it's important that those tasks are kept separate from day-to-day monotony and desktop management.
Some users find the constant stream of password requests that accompany any system administration task annoying, and decide to continually connect as root. This practice is a little like disabling the earth connection in electronic music equipment to stop any ground-loop hum being heard: it will certainly fix the problem, but you could die.
The more time you spend as root, the more likely it becomes that you're going to make a mistake, and the same is true as always being root on the command line. The only solution is not to be tempted to run as root for everything.
4. Control CD Burners and External Media
CD/DVD Burners, Flash drives and cell phones make data incredibly portable. So portable that critical company data could walk right out the front door snuggly tucked away on the flash drive of a temp, or in the iPod of an unhappy employee. Just like the Internet, if they don't need it to do their jobs, don't give it to them. Here's a link for free tools to turn off USB ports and CD burners.
5. Limit Employee Computer Use
If your employees have unfettered web access from their computers, you're probably inviting trouble if they don't need web access to perform their job duties. Appliances like Untangle can easily block, limit or monitor web activity by each user. For a cheap alternative, check my blog my post from back in January about a free and effective web blocking tool built right into Internet Explorer called Content Advisor.
6. Lock the screen when away from the computer
Imagine the scene: you are logged into a website (perhaps checking your credit card
balance, or seeing how many people have poked you today) in the coffee shop, when the
barista tells you your drink is ready. You won’t be far away and you can still see the
laptop, so it is not going to get stolen... but while you’re up, the nice girl on the next table
makes a few notes on a napkin, and by the time you get home your credit card is a few
hundred pounds lighter.
7. Automatic logout
The last item in this discussion of Mac OS X features to improve physical security is also
the least, because it offers little additional security at a cost of some convenience. In the
Security preference pane you can configure the Mac to log you out automatically if you
are not active for a certain amount of time. The problem with that is that the inactivity
time gives bad guys a chance to use the computer, while locking the screen (or even
shutting the computer down) would stop them from being able to do that.
8. Be Vigilant
Even if the email is from someone you know, if you are not expecting an attachment, don't open it. If the email includes a web link, are you sure you need to click it? If a sales guy shows up and wants to show you files he has on his flash drive, politely decline. A couple of years ago a colleague and I were interviewing local developers for a relatively small database project. As he twirled his shiny keychain flash drive on his finger, he offered to copy the data files so he could take a closer look at home and get back to us. Suffice to say we declined and said we'd get back to him.
9. Routine Maintenance
Back in the I Love You, Nimda and Melissa Virus days we pulled a few all nighters cleaning machine after machine that were infected, not because they did not have anti-virus software, but because they lacked the latest Microsoft patch that plugged a security hole. For workstations we recommend setting Windows Update to automatic. As needed the computer will receive and install needed Microsoft security and software updates. Make sure that your anti-virus is configured the same way. For servers, I recommend configuring it to download the updates, but let me choose when to install them. This way I can do the updates after hours or on the weekend so, if there are problems, I have plenty of time to fix it before people start showing up for work.
10. Make a boot disk on a CD or floppy disk.
In case your computer is damaged or compromised by a malicious program you will at least be able to boot your computer with the boot disk. You will need to make this boot disk before you experience a hostile breach of your system.
No comments:
Post a Comment