Dear Biology Computing Users,

Please take a moment to read through this entire message.  I realize it is quite lengthy, but it contains several important new policies to improve the security of the Biology Network, and requires all users (faculty, staff, students) to ensure that their machines are in compliance with these new policies. 

If a machine is found to be out of compliance with ANY of these policies, it will be removed from the network and will not be reconnected until it is brought back into compliance. 

If you should have any questions, please feel free to contact me via e-mail or by telephone.

Thanks in advance for your cooperation,
Frank Kachurak
Biology Network Manager

*************************************************************

NOTE THAT THESE POLICIES APPLY TO ALL COMPUTERS WITHIN THE DEPARTMENT INCLUDING, BUT NOT LIMITED TO, DESKTOPS, LAPTOPS AND COMPUTERS CONNECTED TO RESEARCH EQUIPMENT, WHETHER THEY ARE UNIVERSITY OWNED OR PERSONALLY OWNED.

*** Every Windows and Macintosh machine -- whether a laptop or a desktop, a standalone workstation or a computer connected to a piece of research machinery -- MUST have an antivirus product installed that performs real-time scanning and automatically checks for and downloads updated virus pattern updates at least once per day.  ***

The University has purchased a site license for Norton Antivirus which allows anyone in the University to download and install Norton Anti-Virus at no charge. 

Macintosh users may download Norton Anti-Virus directly from ITS by visiting http://www.pac-its.psu.edu/mac/virus/index.htm.  There are also instructions here on how to enable LiveUpdate, the utility to automatically update the Anti-Virus definitions.

Windows users may download Norton Anti-Virus directly from ITS by visiting http://www.pac-its.psu.edu/windows/antivirs/index.htm.  The website also contains step-by-step instructions describing the process to enable LiveUpdate, the utility to automatically update the Anti-Virus definitions.  Alternately, Windows desktop users may visit http://intranet.bio.psu.edu/support/virussoft/ (only available from within the Biology Department) to download a customized installation package for desktops which will automatically install Anti-Virus software and connect their machines to our internal Symantec server, eliminating the need to run LiveUpdate.  (Note that this DOES NOT work for laptops; laptops should have the full Norton Anti-Virus package from ITS as listed above.)

Alternate virus detection products include AVG Antivirus http://www.grisoft.com/us/us_index.php and ClamWin Antivirus http://www.clamwin.com/.  Both are available free of charge.

*** All machines must be patched with the latest security updates. ***

Applying security updates "plugs holes" in the operating systems of machines which allow hackers and viruses to enter without ANY user intervention.  Security updates must be applied within one week of their release.  Failure to install these updates will cause the removal of the machine from the network until the updates are manually downloaded and installed. Furthermore, if a machine is compromised (hacked into) because of failure to install a security patch, the machine will be removed from the network permanently and will not be allowed to reconnect until all hard drives are formatted/erased clean and the operating system is reinstalled and patched from scratch.

For Windows machines, the easiest way to ensure your machines are up to date is to run WindowsUpdate AT LEAST EVERY WEEK.  This can be done by opening Internet Explorer and visiting http://windowsupdate.microsoft.com.  (Note that you must use Internet Explorer for this process; other browsers will not work correctly.)  Follow the instructions to scan for and install the CRITICAL UPDATES.  It is not necessary to install the Windows and driver updates, just the critical updates.  Note that you may need to run WindowsUpdate more than once to download and install all critical updates available.  For this reason, when updates have been installed and the computer has been restarted, users should immeditely re-visit the WindowsUpdate site to verify that there aren't any additional Windows Updates to install.  The process is completed when you receive the message that states, "There are no critical updates to install at this time."    To learn more about the WindowsUpdate process, you may visit http://www.microsoft.com/windows/downloads/default.mspx.

Alternately, Windows users may set up their machines to automatically scan for, download, and install Windows Updates.  More information about this process is available by visiting http://support.microsoft.com/default.aspx?scid=kb;en-us;327838.

Macintosh machines may be updated by running the "Software Update" utility from within Preferences (MacOS X) or the Control Panels (MacOS 9).  All updates that appear in the Software Update control panel are considered critical and should be installed.  When the machine finishes installing updates and restarts, re-run the Software Update control panel to ensure that all updates have been installed. (Many updates require additional updates once they have been installed.)  Your computer is up to date when you receive the message "No new software updates are available."  You should run this update process at least once a week. 

Alternately, Macintosh users may set up their machines to scan for, download, and install Macintosh Software Updates automatically.  More information about this process is available by visiting http://docs.info.apple.com/article.html?artnum=106704.

Linux and Unix users must consult with the vendor of their distribution to determine when updates are released and how to install the updates. 

*** Every machine on the network must have passwords assigned for all accounts ( ref. Penn State Policy AG-01). ***

The easiest way to compromise a machine is to log in to an account without a password or with a weak password.  We've found countless machines that HAVE NO ADMINISTRATOR PASSWORD installed!

If a machine is compromised (hacked into) because of a weak or non-existent password, the machine will be removed from the network permanently and will not be allowed to reconnect until all hard drives are formatted/erased clean and the operating system is reinstalled and patched from scratch.

Guidelines for creating secure passwords are as follows (thanks to ITS for providing these guidelines):

1.) Above all, do not use a word or reversal of a word in the dictionary or proper noun! (such as "apple" or "elppa")

2.) Putting a number at the beginning or end of a word in the dictionary does not make it harder to guess! (such as "cereal1" or "8fruit") Numbers, in general, make a password easier to guess.

3.) Don't use your name, or a form of your name (such as "johnson", "nosnhoj", "davidb" or "bdivad")

4.) Don't use famous names (such as Thoreau, Phillies, or Kennedy)

5.) Similarly, any password which is derived from your name, department, phone, social security number, or other personal information is unsuitable because it can be easily guessed. (Much of this information is also kept online by University records.)

6.) Technically good passwords contain purely random characters, but these are very hard to remember. Try using the first letters of the words to a song or poem. (Just don't sing it every time you sit down and type your password) Try taking a word and intentionally misspelling it, and using mixed case. (Such as "KadiLak")

*** Closing thoughts ***

Again, I want to thank you for reading through this e-mail and for your anticipated cooperation.  With your help, we can ensure that our Departmental computing resources remain safe for all users.

If you should have any questions, please feel free to contact me via e-mail or by telephone.

Respectfully,
Frank Kachurak
Biology Network Manager