How to Secure a Computer Connected to a Private Network

Here are the minimum steps you should take to secure your sensitive data on a server on a private network:

Physical Security of a Computer on a Private Network

1. Configure the BIOS to boot the computer from the hard drive only. Do not allow the computer to be booted from the diskette or CD-ROM drive.
2. Password protect the BIOS so changes cannot be made to the BIOS without authorization.
3. Secure the computer on which your sensitive data resides in a locked room, or secure the computer to a table with a lock and cable (locking the case so the battery cannot be disconnected, which would disable the BIOS password).

Controlling Access to the Data

1. Restrict access to your sensitive data to project personnel using the security features available via the operating system (e.g., login via userid/password and NTFS permissions in Windows NT/2000, ACLs in Linux and OS X).
2. Require strong passwords.
   • You can run L0phtcrack to look for bad passwords.
   • Enable password complexity (Windows 2000, Windows XP)
3. Password protect screen saver and activate after three minutes of inactivity.
4. Install encryption software for directories containing secure data. Windows 2000 encryption is free and works well. Additional encryption software applications can be found here.
5. Configure your analysis software to point temporary work files to the encrypted sensitive data directory.
6. Install and periodically run a secure erasure program. This program should be run monthly and after the secure data has been removed from the computer at the end of the contract period. (Shred 2 is inexpensive and works well.)
7. Do not copy or move your sensitive data out of the secured directory for any reason.