Having proactive procedures will help ensure security and privacy, and minimize the risks associated with computer operations. Workstation security can be assured by having standard hardware and software configurations, maintenance, and disposal policies and procedures. The following steps are general while course deviations should be addressed on an individual basis:
- Install the most-recent operation systems and application security patches. Regrettably, some popular operating systems and applications have notorious security and operating flaws, making them easy prey for intrusions and the installation of malicious software (malware). To make sure your systems are protected, download and install updates as they are made available. It is the responsibility of the users and maintenance staff to ensure these updates are installed and documented. Documentation should reflect the individual device, identified by unique name or serial number, the type of update installed, date of installation, and by whom.
- Do not allow the installation of unauthorized software. Have a procedure where there is a list of authorized software that can be installed. Use software from recognized companies and install all update patches. Do not allow the installation of shareware or freeware programs. No one knows what these programs contain in the way of allowing damage to occur to your system. Besides, recognized companies generally have some kind of quality controls, and there is a performance expectation of a packaged product. In the event there is a problem, there is a viable party from whom to seek civil recourse for damages.
- Do not allow any unauthorized configurations. As an example, if file or printer shares are disabled, employees must not be allowed to enable them.
- Do not allow employees to install any hardware. Only authorized employees are allowed to install authorized hardware. For example, no employee is permitted to install modems in their workstations. This action creates a monumental security risk to the network.
- Keep all configurations the same. Regardless if there are network services, the organization should follow a standard configuration procedure for those applications. This facilitates auditing and security testing. Develop and maintain a standard installation and configuration procedure for all authorized software.
- Keep your workstation off-limits. Workstations should be physically secured when not in use. If the workstation is located in an office, the door should be locked when the workstation is not in use. If the workstation is used for very sensitive work, having a removable hard drive that is secured at the end of the workday is a good idea. Laptops may be secured by having software that encrypts the hard drive. In this fashion, if the hard drive was removed from the laptop and installed in another computer, it still would not be easily accessible.
- Other workstation security measures include using a BIOS password. The basic input/output system (BIOS) is a special piece of software incorporated in most computers. BIOS controls the startup of the computer and has the ability to be configured for a password before the computer may be started. In the event someone forgets their password, there are ways to circumvent the process but they usually require some time and specialized knowledge. BIOS passwords are similar to locks in that most locks will thwart a casual thief, but they will not stop a professional.
- Create a password-protected screensaver activated after a few minutes of inactivity. This feature is usually incorporated as part of the workstation's operating system. When activated, the screensaver continues to block anyone from seeing behind it. A password is required for deactivating the screensaver. If a malicious user attempts to restart the computer, depending on the operating system, it may require a password to restart the computer; if this is not the case, when a BIOS password is installed, it will prevent any system restart.
- Install operating systems that create individual password-protected user profiles. Many operating systems, such as Windows NT or XP and Linux allow individual password-protected user accounts to be created. In this fashion, the system boots and as it launches the operating system, it requires a password before the user may access the operating system, applications, and data.
- Install biometric devices, which is equivalent to installing a deadbolt on a door. Biometric devices restrict access to systems based on the unique physiological characteristics recognized by the device. Examples of effective biometric devices are fingerprints, iris and retina scans, and voice.
- Disconnect from open-ended networks such as the Internet when you are not actively using them. As long as you have an active connection to an insecure open-ended network, malicious persons have a channel to access your workstation. These can be minimized by disconnecting from the open-ended network. This means disconnecting your dial-up modem, DSL (Digital Subscriber Line) connection, or ISDN (Integrated Services Digital Network) terminal emulator when you finish each session. If attackers cannot reach the system, they cannot do anything malicious.
- Install personal workstation firewalls to protect your workstation while it is connected to the network, whether the network is closed or open ended. Many employees think their computers are protected by the network firewalls, and indeed they are. Having a personal firewall installed is another layer of protection against attackers. Individual workstation firewalls are usually inexpensive.
- Disable cookies for privacy. If cookies, small bits of code sent from Web sites to your browser and stored on your hard drive for identification and tracking purposes frighten you, then disable them. Most browsers have security features allowing you to be prompted for accepting cookies and you have the choice of accepting them or not. Regardless, it is prudent to delete cookies on a regular basis. Within most browsers there are methods to delete cookies. It is important to note that cookies are not generally malicious in themselves, but they are read by some Web sites and used to track the Internet browsing habits of the workstation's users.
- Avoid spyware. There are small applications that are somewhat malicious in that they track your Internet browsing habits and are considered more intrusive than just ordinary cookies. Some spyware lodges itself in the operating system's registry and lettered drives. Scanners are readily available that search the workstation's drives and remove the offenders. Users should scan for spyware at least weekly.
- Protect the user's identity. Applications offer to save your login name and password so you do not have to enter them each time you visit the site. By activating his feature, you are allowing the login name and password to be stored in the workstation's hard drive and anyone with access to your hard drive can capture these bits of information.
- Some word processors incorporate the user's registration information in the content of the document. Of course, this information will not be displayed by the word processor, but can be viewed when displayed in a simple text editor. Be mindful of this feature when you enter application registration information.
- Install and update your antivirus software. This is a matter of good business sense. Antivirus software must be installed on all workstations, must be activated upon the system's startup, and must be updated regularly. Most antivirus programs look for viruses and other types of malware. Fortunately, most antivirus developers sell update subscriptions and their applications can be configured to retrieve updates automatically. With the amount of malware circulating on open-ended networks, it makes sense to activate the antivirus shielding while using the Internet and scan for malware at least weekly.
- Disable file and printer sharing features in the workstation's operating system. This is a favorite vulnerability permitting attackers to gain unauthorized access. If you must allow this type of sharing, be sure to enable the password feature with a very strong password. Regardless, it is strongly recommended that unless there is a very compelling reason, disable file and printer sharing on all workstations.
- Collect all sensitive trash daily for burning or shredding. There has been more than one active password collected from unburned trash.
- When it is time to dispose of computer-related equipment and media in the form of floppy disks, hard drives, CDs, CD-Rs, and the like, it is important to have very specific procedures. All computers should have their hard drives removed before disposal. All media, including hard drives, should be burned in the incinerator. Commercial burning at very high temperatures is the only reliable way to be assured of media destruction