S 4.151 Secure installation of Internet PCs

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

A host of decisions affecting the IT security of the system have to be made when installing the Internet PC.

Hardware

The hardware of the Internet PC must be designed in such a way that only the components specified within the application concept are present. If required, drives or interfaces that were not intended must be removed or disabled, e.g. diskette drives or internal modems (see also S 4.4 Correct handling of drives for removable media and external data storage).

The boot sequence should be set in the system BIOS in such a way that the computer only starts from the data medium containing the designed operating system. For example, if the IT system is to be started from a non-rewritable CD- or DVD-ROM, CD-ROM Drive should be configured. If the operating system is located on the hard disk called "C", C: A:, C only or Harddisk first/only should be selected.

Access to the system BIOS should be protected by a password. If an operating system without mandatory user authentication is used, e.g. Windows 9x/ME, it may be considered to also enable a boot password in the BIOS. This provides a certain protection against misuse by opportunists.

Operating system

Subsequent to the installation of the hardware, the operating system specified in the application concept is installed. Here, it must be taken into consideration that commonly used operating systems offer different security functions. For example, Windows NT-based operating systems and Linux are characterised by efficient user separation and access rights. These functions are only available rudimentarily or not at all in Windows 9x/ME, but are important for separating the administrator area from the user area.

As a matter of principle, only those operating system components should be installed that are actually needed for the specified field of application. Here, "services" (Windows) and/or "daemons" (Linux) must be checked particularly critically. Normally, an Internet PC should not offer any services on the Internet (see also S 5.72 Deactivation of unnecessary network services).

Subsequent to the installation of the operating system, any assigned default passwords must be changed. In Linux, this particularly refers to the root password, if the distribution used assigns a default password for this.

Before commissioning, all current security-relevant patches and/or updates must be installed. For Windows operating systems, the corresponding information can be found on the Microsoft websites (www.microsoft.com). If Linux is used, the manufacturer of the distribution used should be contacted for available patches and updates first. If the manufacturer's offer is insufficient, further sources should be used, e.g. www.linuxdoc.org.

Further recommendations regarding this can be found in S 2.35 Obtaining information on security weaknesses of the system and S 4.107 Use of the vendor resources.

Moreover, the following recommendations are applicable to Windows operating systems:

• The current service pack should be installed.
• TCP/IP should be installed as the only network protocol.
• No services should be connected to the TCP/IP protocol for Internet access.
• The file and print sharing function should be disabled. No Shares should be made available.
• When using the Internet explorer, Tools | Internet options | Connections should be used to enable the Check system security before dialling function, if this option is offered.
• The Windows Scripting Host (WSH) should be uninstalled if this is possible for the configuration used. Otherwise, the file types assigned to the WSH, for example .vbs and .js, should be assigned to an editor.
• The Microsoft Personal Web Server should be disabled or even uninstalled, if possible.
• Automatic CD-ROM recognition should be disabled (see also S 4.57 Disabling automatic CD-ROM recognition).
• If the Windows version used supports user separation, all unneeded user accounts should be disabled or deleted, e.g. Guest. In Windows NT, this may be performed using the User Manager. The Administrator account should be renamed and protected with the help of a password.
• When using Windows 9x/ME, it must furthermore be considered to use a password-protected screensaver. This offers certain protection against unauthorised accesses.
• As a default process when double clicking on a .reg file, Edit (open with the editor) and not Merge should be set. In Windows ME, the corresponding dialogue is available using the explorer via Tools | Folder options | File types.
• It should be checked whether deviating path names may be used instead of the default names for system and data directories and/or files. In many cases, malicious programs search for certain files in default directories so that this change may be used to attain additional protection. However, it must be taken into consideration that this may cause incompatibilities with certain programs.

If Linux is used, the following recommendations should be taken into consideration:

• The daemon inetd should not be started. Depending on the distribution, this is configured with the help of changes to the rc start files or using specific administration tools.
• The Portmap daemon and the Name Service Caching daemon should not be started.
• If the distribution used installs specific remote administration services, e.g. linuxconf or swat, these should be disabled.
• Apache or other WWW server software should be uninstalled.
• The sendmail program should not be started in a server mode. Other daemons for receiving email using the SMTP protocol should also be uninstalled or at least disabled. If required, email should be retrieved via POP3 or IMAP.
• As an additional security safeguard against attacks from the Internet, the packet filter function ipchains and/or iptables of Linux may be used. Some distributions are equipped with preconfigured packets for this.

As an additional security safeguard, a so-called Personal Firewall may be installed. For this to actually be effective, it must be configured carefully for the respective purpose. The program must particularly be configured in such a way that the users are not pestered by numerous warnings they are not able to interpret. Further recommendations can be found in S 5.91 Use of personal firewalls for clients .

Client programs

Along with the actual operating system, only those additional programs should be installed to the Internet PC that are required for using the Internet services defined in the application concept.

If the application concept specifies the use of the world wide web, a WWW browser must be installed. Commonly used browser programs include Internet Explorer, Firefox, Chrome, Safari, and Opera. Recommendations regarding the secure configuration of these browsers can be found in safeguard S 5.93 Security issues relating to the use of web browsers by Internet PCs.

If the Internet PC is to be used for sending and receiving emails, either an email client must be installed or a WWW-based email service (GMX, web.de) must be used. Commonly used email clients include Outlook, Outlook Express, Thunderbird, or KMail. Recommendations regarding the secure configuration of these programs can be found in safeguard S 5.94 Security issues relating to the use of email clients by Internet PCs.

If the application concept designs the use of further Internet services, e.g. Internet telephony or instant messaging, further client programs may have to be installed.

All programs should be configured in such a way that they provide ideal security and the users should be instructed as to how to securely use them.

Tools

Regarding the secure operation of a Internet PC, additional tools must normally be installed that are not part of the operating system.

The use of a virus scanner on every Internet PC is absolutely indispensable. Such programs are available from various manufacturers. It is important that the related databases used as a basis for these tools are updated at regular intervals. Commonly used virus

scanners provide specific functions for this. Here, it must be ensured that this cannot be controlled from a central location if the Internet PCs are not networked to each other. Further recommendations for protecting malicious programs can be found in S 4.3 Use of virus protection programs.

There are different concepts for data backups of an Internet PC (see also S 6.79 Protection of data on Internet PCs). In many cases, this requires an independent tool that performs the required backup automatically or semi-automatically. Often, data backup and data transport from or into the local network may be implemented by the same medium. It is important to properly administer any necessary data media.

Data may be read or manipulated when being transmitted over the Internet. In order to counteract these threats, cryptographic procedures may be used. For example, there is a host of tools that can be used to encrypt and sign emails. Moreover, there is the option of establishing secure channels to known communication partners, for example using so-called Virtual Private Networks (VPNs). Planning information on the use of cryptographic procedures can be found in module S 3.7 Crypto-concept.

Information on the Internet is not only offered in HTML format, but also as Word, Excel, PowerPoint, or PDF files, for example. If such files are to be viewed directly on the Internet PC, suitable viewer programs must be installed. These viewers should not be able to execute macro commands, if possible. In particular, no Office package should be installed on the Internet PC, if possible. However, if this is absolutely necessary, all integrated functions should be disabled in order to provide protection against macro viruses.

For all installed operating system and software components, the respectively available security-relevant patches and/or updates should be installed. These should be obtained from trustworthy sources, for example directly from the manufacturer (see also S 4.152 Secure operation of Internet PCs).

After all operating system and software components are installed, an image of this basic configuration should be backed up. This allows quick restoration of the system if the installation is rendered useless due to crashes, failed configuration changes, or manipulations (see also S 6.79 Protection of data on Internet PCs).

Surf CD

The use of a surf CD constitutes another option for securely surfing the Internet, whereby this CD contains all components required to start the computer from the surf CD. This way, the actual operating system of the client remains untouched, since the operating system on the CD may not access local hard disks. For example, such CDs are regularly offered completely in computer magazines or in the Internet as program packages. Such surf CDs typically contain only a hardened operating system and the programs absolutely necessary for using the Internet in order to minimise potential security gaps.

Review questions:

• Have all required security aspects been implemented stringently when installing Internet PCs?
• Have all unneeded drives, interfaces, services, and programs on Internet PCs been disabled?
• Have an up-to-date virus scanner and a personal firewall been installed on all Internet PCs?