Basic security measures on public/laboratory computers:
- All servers and workstations must be kept up-to-date with latest software patches. Same rule apply to all software packages in use. Today, there are many easy ways to automaticaly update software. If you use Windows Update you can configure your computer to install patches automaticaly as they are published by Microsoft. In addition you cane employ various options provided by Active Directory to update your machines.
- Strong audit policy including both successfull and unsuccessfull logon attempts. Usually it won’s save us, but at least we’ll know how and when it happened.
- Strong password policy. Users must use strong password and frequently change them (6 months should be both secure and not to annoying).
- All local administrator accounts must be password protected. It’s also healthy to rename “Administrator” account.
- As long as it’s possible, users must not be allowed to be local administrators, furthermore they it’s very dangerous to give users Domain Administration rights.
- When users must be able to install software on local workstation they may be granted to install it via Local Policies without making them local administrators.
- All projects dealing with networking topics, such as, filrewalls, protocols etc. are better done on isolated LAN that simulates real environment. This will both provide more freedom to students and protect faculty network.
- Remote access to NT workstations and servers proves itself constantly as security hole. Best practice is to prevent any kind of remote access from students.
You may consult in the following useful resources pages for links to major security related sites.