Safe computing is mostly about prudence, preparation, and prevention. NDSU has seen a large number of computers on the network become compromised. The following suggestions are intended to help students, faculty, and staff become more aware of safe computing issues.
The Internet is a powerful resource, but the same features that make it powerful also provide the means for misuse. Your "network neighbors" are world-wide, and, if you are not careful, they may have complete access to your system or you identity. While there really is no "100% secure" Internet-connected computer system, it is possible to take a few simple steps to get close.
Of course, you might say, "I don't have any top secret information on my computer." However, you don't want to lose what you do have, and you don't want to be responsible for illegal activity on your computer. "Infected" computers can
- Infect other systems
- Take down entire businesses or networks
- Be used for illegal activities
- Be used as repositories for copyright protected media or software
- Have information corrupted or deleted
Hundreds of computers can be taken over in seconds. Remember that you, as an owner of an account or computer, are responsible for any and all activity using your access information. You can save yourself a lot of grief by following some basic rules for safe computing.
Create a Secure Login
Creating a secure login is the first and possibly the easiest step to a more secure computer. Here are a few tips on creating a more secure computer simply by creating a secure Login
- Always set up accounts that require good passwords. Do NOT allow a password to be empty or blank. Most password cracking tools that can find these and compromise them in seconds. Don't be an easy target.
- Use GOOD PASSWORDS! Do NOT use words that could be looked up in a dictionary or are simple. Password crackers can "guess" those in seconds. When possible, use special characters, digits, mixed case, etc. NDSU requires that your password should be at least 8 characters long, mixed case, special characters and digits. The website forbes.com recently named the 25 worst passwords of 2012 and number 1 is still "password" <-- Don't use this password!!!
- It is recommended that you remove un-needed accounts from your computer. Removing the guest account will secure your computer. Also, by removing un-needed accounts gives you a way to easily see if rouge accounts have been created if your computer does become compromised.
Update, Update, Update
In 2000, Microsoft released Automatic Updates to try to make sure that Windows computers connected to the Internet were getting the latest patches for their Operating System. This is a practice you should also get into regarding your computers as well.
- On NDSU computer equipment we utilize WSUS ( Windows Server Update Services) to provide the Microsoft based Windows computers their updates.
- For the Macs on campus we suggest that you check for updates on a weekly basis. Simply click the apple in the upper left and select Software Update... to start the update application
- Linux computers use a wide a varied update tool ranging from apt-get, pacman, yum, and many others, we suggest you update your software at least weekly
You should also make sure that your applications you have installed on your computer get updated as well. Most applications now have their own update utility built in and some operating systems have application stores that update those applications as updates become available. Until there are application stores for all operating systems please make sure your editing, viewing, watching and listening software is all up to date.
Lost or Stolen Items
Devices are getting smaller, and storage on those devices is growing. They are easy to misplace and that also means they are easier to swipe. A few steps you can take to mitigate data being stolen along with the devices that you use every day.
- Turn off your device when not in use, data is stored in memory for easy access, if the power is off data is not stored in active memory.
- Password protect your device, a 15 to 18 character password that is not a single word, will be able to secure your computer from an easy break in
- Back up your data to a different location, if your device goes missing you still have your data
- Encrypt your storage, hard drive encryption will make is almost impossible to get data from the device if the bad person does not have the password to get in
- Enable device location and remote device wipe features, giving you the ability to either locate or destroy the data that is located on your device
Mistakes happen and thieves can be very good at what they do, so devices will go missing. If a device is missing don't panic. Please follow the steps below
- Contact Campus Police at (701) 231-8998
- Fill out a Stolen or Missing Item form
Encrypt Your Computer
BitLocker is a Microsoft Windows utility that encrypts a computer’s entire hard drive or other external media.
BitLocker is a tool that can be used to protect research data, confidential data such as student records and other Personally Identifiable Information(PII) or Protected Health Information(PHI) and ensure compliance with regulation such as FERPA and HIPAA.
If a Windows device is lost or stolen, the data on the encrypted drive cannot be accessed by an unauthorized party unless the appropriate decryption password is provided.
A computer with a built-in Trusted Platform Module (TPM) and Windows 10. All PC computers recommended by ITS meet the hardware requirements.
If the computer meets the requirements above, the encryption process will be transparent to the user and should not notice any difference from a non encrypted computer.
If the TPM is not enabled by default, it can be enabled on the computer BIOS configuration screen. Follow the manufacturer’s instructions on how to enable the TPM if it is not enabled by default.
You can verify the TPM is enabled by clicking on Start, type on the search box Device Manager, and looking under Security Devices for the TPM. If it is present, it is enabled in the BIOS.
Turning BitLocker On:
Click Start , click on the settings icon
On the search box and type BitLocker
Select Manage BitLocker.
Click Turn on BitLocker.
BitLocker will run checks to make sure the computer meets requirements.
The message “Preparing your drive for BitLocker” will display. Click Next.
Click Next to start encrypting the drive.
A message will appear asking you how you want to back up your key. This key will be used to decrypt your drive if maintenance is needed or changes are made to the drive. It is very important that you can provide the key. The options are:
Save to your Microsoft account. It can save the key to the Microsoft servers if you use your Microsoft account on your computer.
Save to a file. You will be asked to provide a flash drive or a network location. The hard drive on the computer cannot be used because it will be encrypted and you won’t be able to access it during maintenance or if changes are made to the computer. Store the flash drive on a secure location.
Print the recovery key. If you choose to print the key, store the printout in a secure location so you can provide the key if maintenance is needed or changes are made to the drive.
For computers in the domain, your encryption key may be recovered by the system administrator.
After choosing one of the options above, click Next.
The recommended setting is to encrypt entire drive. Click Next.
The recommended setting is Compatible mode. Click Next.
Check the box Run BitLocker system check and click Next. The computer will restart or you may need to click on Restart Now.
The computer will start encrypting the drive. You can work as it is encrypted but it may be better to leave it work overnight. Depending on the size of the drive it will take between 2 and 4 hours.
If your computer does not meet your requirements:
Computer has no TPM:
If you have Windows 10 but your computer does not have a TPM, you will see the message asking to enable the policy to “Allow BitLocker without a compatible TPM”
Open the Group Policy Editor by opening a Run window and typing gpedit.msc. Then browse to:
Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
Set Require additional authentication at startup to enabled.
If it the computer is managed through Active Directory, the administrator may need to set the policy.
After enabling the policy, you can proceed to encrypt the drive with the caveat explained in the next paragraph.
Important note: This method will not be completely transparent to the user. Since there is no TPM to store encryption keys, the user will either have to plug in a flash drive with the key every time the computer is started, or, enter a password at startup to decrypt the key and then the account password to log in to Windows.
Computer is running Windows 7:
The process is very similar to the steps above, the main difference is that if there is no TPM installed, a flash drive will be required every time the computer starts up.
If your drive or computer needs maintenance:
If your computer suffers a hardware failure other than the hard drive, your information can be transferred to another computer, however, when the drive is removed and connected to a different computer, you will be prompted to enter the key you printed or saved to the flash drive:
After you enter the key, you will see the files in a similar manner to any unencrypted media.