Support Document

Index

1. Purpose
2. JSU Security Measures
3. Basic Security Measures
4. Security Measures to Protect Sensitive Data
5. Laptop Security Tips - Physical Security
6. Laptop Security Tips - Preventing Theft

1.0 Purpose

The recommendations/security measures in this document are made as a service to the Jacksonville State University, hereafter called JSU or the University, user community to assist with securing and protecting University owned laptops.  Because of their portability, laptops often find their way on to multiple networks where they are exposed to a variety of security threats including worms, viruses, Trojans, etc.  They are also particularly susceptible to theft because of their size/portability.

2.0 JSU Security Measures

Follow these basic security measures as is stated in the JSU Acceptable Use Policy even when the Laptop is not connected to the JSUNet.

1. Keep passwords secure and do not share accounts.
2. Laptops should be secured with a standard Windows password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging-off (control-alt-delete for Win2K users) when the host will be unattended.
3. Protect Laptops by continually executing approved virus-scanning software with a current virus database and anti-spam software.
4. Use extreme caution when downloading from the internet or when opening e-mail attachments received from unknown senders. All data, programs and emails must be scanned before downloading or opening.
   
   

3.0 Basic Security Measures

1. Lock down and secure the operating system - Windows XP Professional offers secure logon, file level security, and the ability to encrypt data. Use these features to protect the information on the Laptop.
2. Enable a strong BIOS password - Password-protect the BIOS. Find out from your laptop manufacturer what the procedure is for resetting the BIOS password. Also find out if the BIOS password locks the hard drive so it can’t simply be removed and reinstalled into a similar machine.
3. Use a personal firewall on your laptop - Corporate networks protect their Servers and Workstations by configuring a firewall to prevent intruders from hacking back into their systems via the company's internet connection. But once users leave the corporate buildings and connect to the web from home or a hotel room, their data is vulnerable to attack.  Personal Firewalls are an effective and inexpensive layer of security that takes only a few minutes to install. Although Windows XP comes with a personal firewall, it does not attempt to manage or restrict outbound connections at all. We recommend using a good third-party personal firewall to secure your Windows XP workstations. If you want to test how much information your personal firewall "leaks out" to the web, try an online leak test at http://grc.com/lt/leaktest.htm   (Please note that use of this tool does not imply JSU endorsement.)
4. Register the laptop with the manufacturer - Registering your laptop with the manufacturer will "flag" it if a thief ever sends it in for maintenance, and increases your odds of getting it back. Write down your laptop's serial number and store it in a safe place. In the event your laptop is stolen, the police will be able to trace it back to you.  
   
   

4.0 Security Measures to Protect Sensitive Data

1.        Use the NTFS file system - Use the NTFS file system that comes with Windows XP to protect your data from laptop thieves who may try to access your data. FAT and FAT32 File systems don't support file level security and give hackers a big wide open door to your system.

2.        Disable the Guest Account - Double check to make sure the guest account is not enabled. For additional security assign a complex password to the account anyway, and restrict its logon 24x7. 

3.        Rename the Administrator Account - Renaming the Administrator account will stop some amateur hackers cold, and will annoy the more determined ones. Remember that hackers won't know what the inherit or group permissions are for an account, so they'll try to hack any local account they find and then try to hack other accounts as they go to improve their access. If you rename the account, try not to use the word 'Admin" in its name. Pick something that won't sound like it has rights to anything.

4.        Create a dummy Administrator account - Another strategy is to create a local account named "Administrator", then giving that account no privileges and impossible to guess +10 digit complex password. If you create a dummy Administrative account, enabled auditing so you'll know when it is being tampered with.

5.        Upgrade to Windows Vista - If you cannot upgrade, at the very least, make sure that your operating systems patches are up to date. Windows Vista has built-in security tools that target laptop security.

6.        Prevent the last logged-in user name from being displayed - When you press Ctrl-Alt-Del, a login dialog box appears which displays the name of the last user who logged in to the computer, and makes it easier to discover a user name that can later be used in a password-guessing attack. This can be disabled using the security templates provided on the installation CD, or via Group Policy snap in. For more information, see Microsoft KB Article Q310125.

7.        Enable EFS (Encrypting File System) - Windows 2000 ships with a powerful encryption system that adds an extra layer of security for drives, folders, or files. This will help prevent a hacker from accessing your files by physically mounting the hard drive on another PC and taking ownership of files. Be sure to enable encryption on Folders, not just files. All files that are placed in that folder will be encrypted. For more information check out our EFS Resource Center

8.        Disable the Infrared Port on you laptop - Most people don't actual transmits data via the infrared port on their laptop, but someone can use the IR port to browse someone else's files from across a conference room table without them knowing it. Disable the IR port via the BIOS, or simply cover it up with a small piece of black electrical tape.

5.0 Laptop Security Tips - Physical Security

1.        Asset Tag or Engrave the laptop - Permanently marking (or engraving) the outer case of the laptop with the University name, address, and phone number may greatly increase your odds of getting it returned to you. Clearly marking your laptops deters casual thieves and may prevent it from simply being resold over the internet via an online auction.

2.        Use a Cable Lock - Over 80% of the laptops on the market are equipped with a Universal Security Slot (USS) that allows them to be attached to a cable lock or laptop alarm. Most of these devices are from $30 - $50 and can be found at office supply stores or online. In addition to the quality of the cable, consider the quality of the lock. (Tubular locks are preferable to the common tumbler lock design) And remember: They only work if you use them properly. Tether them to a strong immovable and unbreakable object.

3.        Use a docking station - Almost 40% of laptop theft occur in the office. Poorly screened housekeeping staff, contractors, and disgruntled employees are the usual suspects. You can help prevent this by using a docking station that is permanently affixed to your desktop and has a feature which locks the laptop securely in place. If you are leaving it overnight, or for the weekend, lock your laptop in a secure filing cabinet in your office and lock your office door.

4.        Lock up your PCMCIA cards - While locking your PC to desk with a cable lock may keep someone from walking away with your laptop, there is little you can do to keep someone from stealing the PCMCIA NIC card or modem that is sticking out of the side of your machine. When not in use, eject these cards from the laptop bay and lock them in a safe place. Your docking station should have a NIC card built into it at your desk, and if you are traveling you won't be connected to the network anyway. Even when they aren't being used, PCMCIA cards still consume battery power and contribute to the heat levels within your laptop while they are left inserted into their slots. 

5.        Backup your data before you leave - Many times the data on your computer is more expensive to replace than the hardware. Always backup you laptop before you do any extended traveling that may put your data at risk. This doesn't have to take a lot of time, and you can use the built in backup utilities that come with Windows. If your network doesn't have the disk space to backup all of your traveling laptop users, you may wish to look into some of personal backup solutions including external hard drives, CD-R's, and tape backup.

6.        Consider using offline storage for transporting sensitive documents - Backing up your hard drive before you leave can help you retrieve your data when you return from your trip, but it doesn't do you any good when you're still out on the road. There are several vendors that offer inexpensive external storage solutions that can hold anywhere from 40Mb to 30GB of data on a disk small enough to fit easily into your pocket. By having a backup of the files you need with you, you can work from another PC in the event your laptop is damaged or missing. As a plus, many of these devices support password protection and data encryption, so your files will be safe even if you misplace the storage disk. Remember, when traveling keep these disks on your person, not in your laptop case or checked baggage, and be careful when passing through the metal detectors at airport security checkpoints.

6.0 Laptop Security Tips - Preventing Theft

1. No place is safe - Never assume your laptop will be safe just sitting around. Treat as if it were $1,000 in cash lying around, and lock it down using a cable lock or secure docking station.
2. Use a non descript carrying case - Nothing says "Steal me" like walking around a public place with a leather laptop case with the manufacturer's or your company's logo stamped to the side. Consider buying a form fitting padded sleeve for your laptop, and carrying it in a backpack, courier bag, briefcase, or other common nondescript carrying case.
3. Beware of payphones - Cell phones are great if you are within your calling area, but the lack of a nationwide standard means that business travelers often have to use the payphones in airports, restaurants and hotel lobbies. Incidentally, these are also places that thieves like to hang out. While you are worried about covering up your credit card number as you dial the keypad, opportunistic thieves are waiting to see if you set your laptop case down. If you're traveling with someone else, use the buddy system to watch each others backs instead of making calls at the same time. 
4. When traveling by air - There are a number of sophisticated professional crime rings that prey on business travelers carrying laptops. They look for brand new, high end laptops and often shadow the airport curb side check in, airline and rental car check-in counters, airport shops and security checkpoints. Anywhere where you might set your laptop bag down for a minute to attend to other things is a prime opportunity for thieves.
5. When traveling by car - Always rent a car with a locking trunk (not a hatchback/minivan/or SUV) and never leave your laptop in a vehicle where a passing thief can see it through the window. If you store your laptop in the vehicle for any period of time, keep in mind that the extreme temperature ranges within the vehicle could wreck havoc with your laptop. In the summer, the inside of a parked car can reach temperatures that will melt your laptop's components. In the winter, LCD screens can freeze solid and split.
6. While staying in a hotel - If you keep your laptop in your hotel room anchor it securely to a metal post or fixed object. When not in your room, consider locking your laptop up in the hotel's safe. (Make sure you get a receipt). 
7. When attending conventions and conferences - Laptop thieves target business conferences and conventions because they know you'll feel more comfortable around your peers. They look for events that use the same facilities for a few days, because they're counting on you to become lax as you become used to the surroundings and start to feel safe.
8. Make security a habit - People are the weakest link in the security chain. If you care about your laptop and your data, a healthy dose of paranoia will help keep it safe. Get into the habit of locking your laptop up when you're working with it, or when storing it. Use common sense when traveling and try to stay in physical contact with your laptop at all times. If you are traveling with trusted friends or business associates use the "buddy system" to watch each others back (and laptops).