Secure and Manage Your Computer (Linux/Unix)
If you are permitted to access or maintain sensitive institutional data using your personally owned or self-managed university-owned computer, please meet the minimum expectations below. See University Data and Personally Owned Devices for a complete list of your responsibilities when accessing sensitive U-M data.
By meeting the minimum expectations below, you also protect your personal data.
Minimum Expectations for a Secure Computer
Instructions and More
Instructions for security settings and tips for protecting your Linux/Unix computer are available from various vendors:
- Require a password for access to your computer. Follow these guidelines for a strong password.
- Set your screensaver to activate after 15 or fewer minutes of inactivity, and require your password to unlock it.
- Turn on your local firewall. It is normally turned on by default. Current versions of Linux use the iptables firewall. Standard firewall practice dictates that you deny everything and then allow only services that you require. Consult the documentation for your system to learn how to adjust the firewall rules to ensure that only the services you require are enabled.
- Disable root login / su - and implement sudo. Implementation of sudo will allow privileged access as required and will log all such activity and link specific actions to specific individuals. It also avoids shared root accounts, which can make it more difficult to securely deprovision access for an individual or contain security incidents involving compromised credentials. Many Linux distributions already implement the no root login feature and force the use of sudo. If the distribution you are using does not already support sudo, install the sudo package and configure it appropriately (ensure "su -" does not switch user to root. Consider bash, vi, and other apps that can shell out to root).
- Disable / remove guest and defaults accounts. Best practice is to not allow guest, default, or shared accounts access to the workstation. Verify that there are no suspicious accounts in the /etc/passwd file. Ubuntu has the guest account enabled by default. Edit the /etc/lightdm/lightdm.conf file and add the following line to the end of the file:
- Install the U-M VPN if you expect to use untrusted networks (such as guest wireless in a hotel or coffee shop). UMHS faculty and staff should use
- Use full disk encryption for laptops. Full disk encryption will prevent unauthorized access to the sensitive data stored there should the laptop be lost or stolen. Install a version of Linux/Unix that supports full disk encryption.
*U-M Health System (UMHS) faculty and staff should use the Cisco AnyConnect VPN client provided by Medical Center Information Technology (MCIT) to access Protected Health Information (PHI), Clinical Network and Applications, Schedulon, and Printing, as well as to access file servers and internal UMHS web content. For more information, installers, and instructions, see VPN - Cisco AnyConnect SSL Client in the UMHS KnowledgeBase.
- Use secure networks, such as wired connections or MWireless.
- Turn on the U-M VPN if using untrusted wireless networks (such as guest wireless in a hotel or coffee shop). UMHS faculty and staff should use
- Turn off optional network connections (WiFi, Bluetooth) when you are not using them.
- Turn on automatic updating to keep your Linux/Unix operating system updated. Most Linux and Unix distributions provide a way to update the operating system automatically via the Internet. Consult the documentation for your system to learn how to perform this operation. This provides you with security updates and other improvements.
- Keep your applications updated to take advantage of security updates and other improvements. Use automatic updating where available.
- Configure audit logging (syslog) to help you to reconstruct a timeline of events or system activity -- important information for responding to security incidents or resolving system errors. Audit rules are specified in the file/etc/syslog.conf. Typically, the system stores sequential logs in files located in the /var/log directory.
- Configure ntp time synchronization because many Internet services rely on the computers’ clock being accurate. Also, accurate time/date stamps in logged activity aids any forensics analysis and system troubleshooting. Install the ntp package. Configure the ntp.conf to use the university’s time servers at ntp.itd.umich.edu or set up a cron job using rdate to set the clock every four hours.
- Only install trusted applications.
- Be aware that certain types of sensitive data (such as Export Control, HIPAA, and FISMA) cannot be accessed or maintained outside the U.S. See the Sensitive Data Guide for details.
- Before you sell or give away your computer, erase the hard drive securely. See Remove Data from a Hard Drive.
- Report security incidents. If you use your computer to maintain or access sensitive institutional data and it is lost or stolen, notify the ITS Service Center.
Additional Best Practices
Consider these additional options for enhanced security for your computer and the data maintained on or accessed from it.
Related U-M Policies and Standards