S 4.252 Secure configuration of training computers

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

In order to avoid security problems and the undesired use of training computers, minimum configuration of the computers and restrictive granting of rights (see S 2.63 Establishing access rights and S 4.135 Restrictive granting of access rights to system files) are required. Recommendations regarding the configuration of training computers can be found in safeguard S 4.95 Minimal operating system.

Before using training computers, it should be defined which applications and communication interfaces are to be used within the framework of the respective training measure. By defining a default configuration for the training computers (see S 2.69 Establishing standard workstations), the installation efforts can be minimised and a minimum level of security can be guaranteed for the training computers. Before every training measure, it must be checked whether the configuration of the computers is suitable for the training measure. In order to be able to dispense with tedious tests, it makes sense to newly install training computers using correspondingly prepared packets before each use (see S 4.109 Software reinstallation on workstations).

It should not be possible to copy any information such as training or test documents from training computers in an uncontrolled manner or to install additional files or programs (e.g. crib sheets for tests). Therefore, restrictive access rights should be granted to the users of these computers on the one hand, and data should be prevented from being copied to external media on the other hand (see also S 4.4 Handling of drives for removable media and external data storage).

Furthermore, it must be considered whether and to which extent it is necessary to perform data backups, for example if exercises or test results are to be backed up.

Additional security programs should be installed on the training computers, unless these are already part of the operating system. This particularly applies to a program for checking the integrity (see S 4.93 Regular integrity checking) and a software packet filter. Additionally, programs for finding viruses and for evaluating the log entries are recommendable.

Review questions:

• Are a minimum configuration and a restrictive granting of rights implemented for training computers?
• Is it defined which applications and communication interfaces are to be used during the respective training measure?
• Are restrictive access rights granted to users on training computers and is data prevented from being copied to external media?