S 4.152 Secure operation of Internet PCs

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

To ensure secure use of Internet PCs, safeguards for maintenance and support of the systems must be implemented. Otherwise there is a danger, for example, of security gaps arising due to configuration changes or of vulnerabilities in the software being taken advantage of by attackers from with the specifications with the specifications within or outside the organisation. Therefore, when operating an Internet PC, the following precautions should be taken:

• Installation of patches and updates to eliminate security-related vulnerabilities
  
  Often, errors are discovered in software products that can jeopardise the security of the IT systems on which these products are installed. To prevent their abuse by internal or external attackers, these software vulnerabilities must be eliminated as quickly as possible. The manufacturers of operating system and software components usually make patches or updates available that must be installed on the relevant IT system to eliminate the error(s).
  
  The administrators of the Internet PC should therefore regularly check for newly discovered software vulnerabilities and install the relevant patches or updates released (see also S 2.35 Obtaining information on security weaknesses of the system). It is important that patches and updates - like all software - are obtained only from trusted sources; if possible, directly from the manufacturer or provider. They should also be checked using a computer anti-virus program before installation.
• Regular checking and monitoring of the Internet PC
  
  The installation and configuration of an Internet PC is usually not static, but changes with usage. Users can, for example, create bookmarks for visited web pages, save e-mails or downloaded files and associate file types with file viewers. Many programs also make significant changes to the configuration. Furthermore, attempted or successful attacks can cause changes in the installation or configuration of the Internet PC.
  
  Administrators must therefore regularly check whether the installation and configuration of the Internet PC corresponds with the specifications. The following should, for example, be checked:
  • whether the hardware configuration of the Internet PC has been changed,
  • whether software components have been added or removed,
  • whether BIOS, operating system or program settings have been changed without authorisation,
  • whether there is any indication that locally saved data does not meet the criteria defined in the guidelines, for example by checking the paths and file names.
  
  In addition, the available log functions, such as the Events Log in Windows NT, syslog in Linux, and the History in the Internet Explorer should be analysed periodically. These logs can provide evidence of attacks, and misuse of the Internet PC, such as accessing forbidden web pages. However, it must be taken into consideration that some of these logs can be easily manipulated.
  
  Few people deliberately break security regulations in public. To make misuse even harder, the Internet PC can be located in a public place, such as a library.
  
  In checking or monitoring the Internet PC, the data privacy protection and co-determination laws and regulations must be observed. All safeguards should therefore be agreed in advance with the Personnel Board and the Data Protection Officer.
• Regular reinstallation of the system
  
  Another possibility of preventing unwanted changes to the installation or configuration of the Internet PC is to regularly reinstall the system. Reinstallations also prevent system crashes caused by corrupted or unstable installations. The intervals between reinstallations must be specified in each case depending on the integrity requirements for the Internet PC.
  
  If reinstallations are to be carried out at short intervals, it is advisable to create an image of the system which can then be reinstalled as a whole. Otherwise, reinstalling each software component and configuration parameter of the system separately each time can be time-consuming.
  
  The procedure for carrying out reinstallations must always be coordinated with the data backup concept for the Internet PC (see S 6.79 Protection of data on Internet PCs). Otherwise, there is a danger that data is permanently lost when the system is reinstalled.

Review questions:

• Are new updates and patches installed regularly on Internet PCs and are these obtained only from trusted sources?
• Are regular checks performed to ensure that the installation and configuration of Internet PCs corresponds with the specifications?
• Are the data privacy protection and co-determination laws and regulations observed in checking or monitoring the Internet PC?