How to Secure a Stand-Alone Computer
A stand-alone computer is one that is in no way connected to
another computer or networked device, such as a switch, hub, or
router (with the possible exception of a printer), or to the
Internet or a local area network (LAN). The stand-alone computer
can be running Windows 2000/XP client or server, Linux, or Mac OS
X. Because the stand-alone computer is not connected to the
Internet or a local or wide area network, the emphasis for securing
the data is placed on physical security of the computer and
controlling access to the data.
Here are the minimum steps you should take to secure your sensitive data on your stand-alone computer:
Physical Security of a Stand-Alone Computer
- Configure the BIOS to boot the computer from the hard drive only. Do not allow the stand-alone computer to be booted from the diskette or CD-ROM drive.
- Password protect the BIOS so changes cannot be made to the BIOS without authorization.
- Secure the computer on which your sensitive data resides in a locked room, or secure the computer to a table with a lock and cable (locking the case so the battery cannot be disconnected, which would disable the BIOS password).
- Remove or disable the network interface card (NIC) so it cannot be used.
Controlling Access to the Data
- Restrict access to your sensitive data to project personnel using the security features available via the operating system (e.g., login via userid/password and NTFS permissions in Windows, ACLs in Linux and OS X).
- Require strong
passwords.
- You can run L0phtcrack or other password "recovery" systems to look for bad passwords.
- You can use Administrative Tools, Local Security Policy to enable password complexity (Windows 2000, Windows XP).
- Note vulnerabilities for accounts with no passwords or weak passwords.
- Password protect screen saver and activate after three minutes of inactivity.
- Enable encryption for directories containing secure data. Windows Encrypting File System (EFS: available in Windows XP, 2000 and 7) is built into the OS and works well. Additional encryption software applications can be found here. TrueCrypt is also a good free encryption program that allows you to encrypt entire drives or simply create an encrypted volume for your sensitive data.
- Configure your analysis software to point temporary work files to the encrypted sensitive data directory.
- Install and periodically run a secure erasure program. This program should be run monthly and after the secure data has been removed from the computer at the end of the contract period. (Shred 2 is inexpensive and works well.)
- Do not copy or move the sensitive data out of the secured directory for any reason.
