Device Security Guidance

Jump to a section here:

 

Why Device Security is Important -- How to Secure Your Devices

Your data is only as safe as the weakest device that holds it.  Whether your personal devices have data as sensitive as your banking information or as visible as your address, it is important to appropriately secure all devices you use from unauthorized access.

Protect device with a strong login password: 1) learn what constitutes a strong password, 2) create ones you can remember, 3) never share your password with anyone, and 4) use unique passwords for your devices, UVA accounts, and for any other accounts with access to important or sensitive information.  If you have reason to believe someone has learned one of your passwords, change it immediately.  

Use a password manager:  UVA has a site license for LastPass that makes it free for UVA academic faculty, staff, and students.  Click here for information about LastPass at UVA.   Downloading LastPass will eliminate the struggle of forgetting your password and being tempted to re-use the same password. It enables you to create unique, strong passwords for all of your accounts.

Use two-factor authentication:  Configure two-factor authentication for all accounts that offer the capability, such as for UVA accounts, bank accounts, personal email accounts, etc.

Use a password protected screen saver: Configure your computer to lock the screen automatically, after a brief period of no more than 10 minutes of inactivity, with a password-protected screensaver. This enhances security and causes you minimal inconvenience.

Turn off file sharing: To ensure other people cannot access your files and folders, you should disable file sharing. In Windows 10 access Settings > Network and Internet > Sharing Options. If you purchased a Dell computer from the University, you will notice that file sharing is already disabled. Macintosh computers disable file sharing by default. UNIX/Linux operating systems need special attention in this area.

Turn on Firewall: Firewalls can prevent hackers from making unwanted connections to your machine. The firewalls on recent Windows and Macintosh operating systems are turned on by default. Make sure, however, that you enable the firewall settings for the following operating systems:

Turn off or delete unneeded software features: The more software packages there are on a computer, the more opportunities exist for hackers. You should uninstall applications and turn off features you don't use.

Configure properly for multiple users: If multiple people use a computer, ensure that they each have their own user account.

 

Maintaining Desktop, Laptop, and Tablet Computers

Use up-to-date antivirus and antispyware software: Install FREE antivirus software (based on your operating system) on your computer, and schedule daily updates that will recognize new virus types as they emerge.  Enable the automatic protection of all incoming files, and schedule weekly scans of your hard drive.  Install antispyware software on your computer, since antivirus protection is not enough. Download Microsoft's antispyware software Microsoft Defender. It's pre-installed on your computer in Windows 10 but may be turned off.  NOTE: Federal regulations (enacted in the 2018 NDAA, Sec. 1634)  prohibit the use or purchase of any software or services from Kaspersky Labs, or any entity of which Kaspersky Lab has a majority ownership. This includes its antivirus, internet security, password management, endpoint security, and other cybersecurity products and services. Details are on the UVA Vice-President for Research Best Practices webpage.

Don't open files from unknown sources: Carefully judge the credibility and trustworthiness of the source of a file before opening it. Email attachments and downloaded files are common sources for malicious programs. Bear in mind that some viruses and worms can mimic the identity of a familiar email correspondent. If you were not expecting an attachment, you may want to contact the email sender to verify the attachment before opening.

Keep your operating system up-to-date: Updates should be downloaded and installed immediately—many contain critical fixes for security-related defects. Recent operating systems have automated the update process, though you may be prompted to approve the process. If ITS Patch Management Service or HIT Desktop Management Service does not manage your updates, learn how to use your operating system auto-update feature.

Keep your application software updated: Check your software manufacturers' websites regularly for updates to their products.

Delete data securely: Use secure data deletion to destroy files and folders immediately and permanently in a secure manner. For Windows computers find out more about Secure Deletion Shredder software and how to download it for FREE.

Backup: Create a backup of your entire system periodically, and back up critical data files whenever you update them. The ITS Crash Plan service provides an automated backup space, but files consuming large amounts of space—video or music—may require external disk drives to back them up adequately.

Use physical security: Protect your system from theft by physically securing your computer. Purchase a lockup cable for your laptop to increase security in residence halls, libraries, and other places you may take your computer, and a surge protector with a circuit breaker to protect against power line surges. Verify that your system is covered under a homeowner's or renter's insurance policy.

Setting up Networked Printers

All networked printers should have a static IP address on the  non-routable UVA Academic Protected Network (APN) 172.29.x.x address space. If available on your printer, restrict access to authorized users in your department or unit.

Use physical security: Physically secure the printer, as if it were a server.

Enable access controls: Change the administrator password on the https (web) login. On any printer that supports it, install a CA certificate and use it instead of a password for administrative access. If available, we recommend you use access lists to limit the users who can access the printer.

Disable Unnecessary Services, and Limit Network Ports and Protocols: Most printers support a number of different services, many of which are legacy and rarely used. Many services can also weaken the overall security of the printer, as they can be identified and exploited by attackers.

  • Disable any services that you do not use. This can often be done by a management web interface enabled on the printer.
  • Disable Telnet and FTP. These may have been used in the past to manage and send print jobs, but should now be avoided.
  • Review and disable services such as AppleTalk and IPv6 when appropriate.

Disable Embedded Web Server: Many printers allow configuration and administration through a built-in web interface. Configure the web server to only allow traffic over a secure connection (HTTPS), and disable access over HTTP.If you do not use the embedded web server to manage your printer, disable it if possible.

Restrict Management Services

SNMP and https (web) are protocols used to manage printers. SNMP is used for large organizations managing hundreds to thousands of devices, including printers. SNMP should be turned off. If there is a documented requirement for SNMP, the following guidelines should be followed to prevent exploitation of security vulnerabilities:

Turn off version 1 and 2 of SNMP, and change the default SNMP read and write community strings. Turn logging on, and review logs as appropriate to detect and/or investigate potential security breaches.

Please contact UVA Information Security with any questions.

REVISION HISTORY: October 29, 2020