FW: Install for Dummies?

Johnson, Greg JohnsonG at missouri.edu
Wed Jan 16 15:08:11 GMT 2002


Has anyone seen an effective one-page or two-page document that guides naive
users through a secure installation?  Outline:

(1) Physically unplug from the net!
(2) Really, unplug!
(3) Install OS and applications from vendor media.
(4) Don't plug in yet.
(5) Apply any patches from other media.
(6) Keep your hands off that cable.

(7) Disable services such as UPnP and IIS via these steps ...

(8) OK, now you can plug in and finish network connection.
(9) Download and install patches.
(10) Download, install, update anti-virus, personal firewall, etc.
(11) Download and run this program to check and set security.
(12) A backup might be in order now.

(13) Turn on just those services you need...
(14) Watch your logs.
(15) Keep up to date on patches.
(16) To further prevent unauthorized network access to your computer, to
test its security status against ever-emerging threats, and to ask best
practices questions about security, see this web page ...

Item (7) is the meat.  What's the minimum secure, fool-proof instructions
you advise?  There may be a version for each popular OS including MS Windows
98, ME, 2000, NT, XP, Red Hat Linux & Apple Mac.  

I wish to distribute something like this to our university's thousands of
students and staff.   So these guidelines must be enticing and inexpensive!
Our people connect on campus and with machines they own via DSL, cable, or
other access.  No surprise, many people, even those who know better, are
NIMDA'd or worse before they finish downloading MS patches, enterprise
templates, etc.

Over a year ago I discovered vulnerable shares on dozens of campus Windows
98 systems.  My boss thought that because of this vulnerability we should
consider officially dropping support for '98.  I pointed out that only
systems for which Microsoft disclaims security--Windows 95 and 98--are
secure out of the box.  This UPnP mess and IIS defaults have affirmed that
cynical observation.

-- Greg Johnson, Security Office, IAT Services, University of Missouri -
Columbia



More information about the unisog mailing list