Effective Practices
Endpoint Security Guidelines
Best practices are the most efficient and effective way of accomplishing a task, based on repeatable procedures that have proven themselves over time for large numbers of people. The following information is provided as a service to the university community.
- Layered Security (Restricted viewing)
All default passwords have been replaced with strong passwords
Default passwords are one of the very first things that should be changed on any system to enhance security. Passwords should also be "strong". A strong password is one that:
- uses a unique password for each important account
- uses a mix of letters, numbers, and symbols in a password (e.g. "@r1z0n@_St@t3_Un1V3rs1tY")
- does not use personal information, common words, or number sequences (e.g. graduation dates, birthdays, "password", 12345, etc.)
Regular backups are processed (at least weekly)
Copy and save the files and folders you would cry over if you lost them. If you're not on good terms with your thumb or flash drives, check out My Files, ASU’s new and improved way for enrolled students, faculty, and staff to store files on the ASU Network. With 4 gigabytes of storage space, My Files (formerly known as AFS Manager) is free of charge and is a great way to keep files organized and secure. Access My Files at my.asu.edu.
- Create an Emergency Rescue Disk (ERD) to recover your system
- Backup your data at least once a week
- Keep copies of important data in multiple places
Physical access is restricted to the host (computer, laptop, server, etc.)
Physical access is synonymous with physical security. In today’s environment laptops, HDD, USB/Thumb drive, mobile devices, and even servers are portable. There is no need for an attacker to conduct a highly sophisticated attack on your network if the attacker can just physically pick up a device and walk away with the device in hand. Often time the most low-tech attacks are the most effective.
Attackers could use an unsecured computer connected to the network to access or delete information that's important to your business. Workstations at unoccupied desks or in empty offices (such as those used by employees who are on vacation or have left the company and have not been replaced) or at locations easily accessible to outsiders, such as the front receptionist's desk, are particularly vulnerable.
Disconnect and/or remove computers that aren't being used and/or lock the doors of empty offices, including those that are temporarily empty while an employee is at lunch or out sick. Laptops and handheld computers pose special physical security risks. A thief can easily steal the entire computer, including any data stored on its disk as well as network logon passwords that may be saved. If employees use laptops at their desks, they should take them with them when they leave or secure them to a permanent fixture with a cable lock.
Handhelds can be locked in a drawer or safe or just slipped into a pocket and carried on your person when you leave the area. For portables that contain sensitive information, full disk encryption, biometric readers, and location software that will "phone home" if the stolen device connects to the Internet can also compliment physical precautions.
Full Disk Encryption is employed
- Endpoint Encryption ensures that if your computer is stolen, any sensitive information on its disk will be unavailable to the thief. Encrypt your computer's hard disk using your operating system's built-in disk encryption software or other encryption software suggested by UTO
- Encryption at Rest (file encryption) ensures that data on your computer is secured no matter the state of your computer. It can also provide a form of access control to files that may contain sensitive information on your computer
All ASU maintained computers, backup media, and other devices used to store electronic data should be secured using full-disk encryption (FDE) everywhere possible, with key escrow adequate to provide for third-party data recovery in the event of legal requirements or business need. In addition to full disk encryption, All ASU computers should encrypt individual files containing sensitive data. The minimum standard for encryption algorithms should be 128-bit AES, or the highest level allowed by export controls in the case of international applications.
Devices should comply with minimum hardware and software requirements for ASU-sanctioned FDE solutions. If a device cannot be encrypted because its operating system is obsolete, the device should be upgraded to a current operating system. If a device lacks the recommended hardware (e.g., minimum system requirements for compliant operating system, chipset including compliant TPM chip), the device should be upgraded or replaced with a compliant device.
Where possible, devices should use ASU's Active Directory environment for key escrow. If this is not possible, the administrative or academic unit responsible for a device must establish and document a key escrow process to ensure authorized third-party access to encryption keys when necessary.
The following documents provide information on how to encrypt your computer and individual files. Consult your departmental technical support personnel for assistance.
- Disk encryption and file encryption, basic information
This document gives general information for end users. Start here if you're encrypting your home computer - Disk encryption, technical information
This document gives more detailed information for technical personnel. Start here if you support ASU faculty and staff
Use secure connections
- Ensure all devices always use secure connections. Use trusted, encrypted wireless networks whenever possible, or bring your own mobile hotspot (see Telecommuting, Mobile and Travel Safety Guidance). When near any of ASU's campuses, connect to the "asu" encrypted wireless network
- If you must connect to an untrusted or open public wireless network, make sure to protect your system and information by also connecting to a VPN, such as ASU's SSLVPN. Note ASU's VPN only protects connections to ASU resources, and does not protect connections to outside entities like your bank or 3rd party email
The operating system is installed with secure configuration options
- Reference manufacturers’ configurations recommendations and review periodically to ensure device is configured securely
- Effective Practices for Endpoint Administrative Access
- Effective Practices for Printers
- ASU recommends aligning to CIS Benchmarks for secure configurations. Please submit a "Server or Web Application Scan -> Server Scan" in the Service Catalog to request a CIS Benchmark configuration check assessment for your server
Computer managed software such as (SCCM, JAMF), or similar is utilized
The use of computer management software such as SCCM or JAMF is a best practice as it allows for central management of information systems and allows you to quickly apply critical patches, updates, and other software in a network environment
Patches are installed and maintained for known operating system vulnerabilities
It's a good idea to check for system updates daily to keep your computer current and secure.
- Schedule your computer to check for software updates daily
- If your computer doesn't already check for updates on its own, visit update.microsoft.com or apple.com/support/ to check for yourself
- Never get updates from sites you do not trust
Antivirus software is installed and configured for updates
In today’s information technology age, antivirus software is a requirement. Antivirus software protects your system(s) from becoming infected by any number malicious types of software. Antivirus software becomes even more important when working in a networked environment. One infected machine can infect many systems that are connected to the same network. Antivirus software will help prevent the spread of the malicious software.
A Host firewall is installed and configured
A firewall is similar to walking through the security check at the airport; the firewall inspects Internet traffic and either allows information to pass through to your computer or denies it and tells it to go home.
- Use system firewalls and make sure it's turned on and is active
- Never turn off your firewall while using the Internet
User endpoint is run as least privileged user - (general users do not have admin privileges)
The principle of least privilege means giving a user account the minimum privileges required for the user to perform their duties. For example, a user account for the sole purpose of creating backups does not need the access to install software. Hence, the user account only has the rights needed to run backup and backup-related procedures. Any other privileges, such as installing new software, are not allowed. For instructions on setting up user accounts with least privileges, click here.
Run Data Loss Prevention (DLP) software
Ensuring that sensitive data stays is one way where DLP solutions can assist. At ASU we use Cloudlock to help protect sensitive data in Google, Dropbox, and Salesforce. We also have a Proofpoint email DLP solution that protects sensitive data included in outbound emails. These services are two examples where we have deployed technology to assist us in ensuring that only the appropriate people have the ability to view sensitive information.