accessible view | jump to content | search | jump to site-wide navigation

Implemented LSA Windows Network Security Measures (and Recommendations)

1. Make password minimum 7 characters.
2. Use “strong” passwords only.
3. Set expiration on passwords to 1 year.
4. Extend default lockout period to 1 hour.
5. Change local administrator password on all Windows systems.
6. Sys Admins login with admin account only when performing administration.
7. Sys Admins use “user account” when performing personal work.
8. Sys Admins use RUNAS command if logged in with “user credentials”.
9. Use Telnet with Kerberized Hummingbird Host Explorer or Putty (SSH)
10. Minimize use of ftp; ideally use IPSEC when moving data with ftp
11. Remove all local user profiles that age beyond 7 days old
12. Do not use a roaming profile when logged in with administrator privileges
13. Do not send passwords in e-mail unless mail is encrypted with PGP or S/MIME
14. Decrease number of accounts with domain admin privileges
15. Password changes to privileged accounts must be made immediately after a staff person (who knew the password) has left their LS&A position.
16. Former staff accounts must be removed from privileged groups immediately after they have left their LS&A position.
17. All Sys Admins must pay more attention to service pack updates to maintain secure systems.
18. Sys Admins should not execute programs sent in anonymous e-mail.
19. Sys Admins use PKI certificates for e-mail and web servers.
20. Phase in increased use of IPSEC transmissions. Use IPSEC enabled NICs.
21. Set Windows 2000 Kerberos attributes for ticket TTL to same times as used in UMCE Unix environment.
22. Install Directory Services client on all downlevel clients where possible.
23. Work with Thursby Software Systems to have them upgrade Dave Client to NTLM V2.
24. Consider increased use of Firewall technology such as the product from CheckPoint.
25. Install MacAfee Netshield on all Win2K servers.
26. Turn off ports where a malicious system is causing trouble for others on network
27. LSAIT may provide script to DSAs that captures critical events from user workstation logs.
28. Maintain vigil to prevent users from disabling AntiVirus software.
29. Sys Admins maintain a posture that locked screensavers are used when user(s) leave workstation unattended.

back to top

• Who We Are, What We Do
  • About LSAIT
  • LSAIT Staff Directory
  • Contact Us
• Getting Started
  • Getting Started Overview
  • Windows User FAQ
• Help with Equipment and Software
  • Help with Equipment
  • Help with Software
  • New Faculty Computers
  • Faculty Computing Upgrade
• Summary of Accounts and Passwords
  • Accounts used in LSA
• E-mail
  • E-mail Overview
• Advanced Computing
  • Collaborations
  • Resources
• Department Admin Toolbox
  • Security
  • Windows Environment
  • Mac OS X Environment
  • Unix Environment
  • Video Conferencing
  • IT Professional Development

© 2008 Regents of the University of Michigan | Web design by Marketing Communications

This website is optimized for standards-compliant browsers, following guidelines for XHTML, CSS and accessibility | XML | Contact webmaster

back to top