Security Considerations
Goals
Never log in as Administrator
Logging in as a privileged user is always a risk. I know you have the best intentions, and plan to use the access responsibly, but accidents will happen. It only takes one careless mouse click or keystroke to disable key services or data. When you log in as a privileged user, you will get no warnings that the action you are about to take would need extra permissions.
Windows has a facility to be able to escalate a regular user's access at run-time. Any program that attempts to modify system settings or access protected files will prompt you to enter the admin password while you are still logged in as yourself.
Never grant Administrator access to a user
You may get frustrated having to type the administrator password often to accomplish tasks. This is not a reason to grant yourself administrative permissions. This is a sign that either you shouldn't be performing this task so often, or that the permissions or or rights need to be adjusted to meet the needs of your use case.
Administrator Password
The Administrator password will be documented in the Secure Binder. The original password was chosen to be memorable, easy to communicate verbally, and also be a nice daily affirmation of our goals for the lab. If you should need to change the password, please keep those goals in mind. Standard complexity requirements such as special characters and numbers that you might be accustomed to in the outside world are not valuable in this context.
- Never write down the password
- Never share the password with a student
7-char Administrator password
Some tools or applications will not accept a long passphrase such as the administrator password. One notable example of this is the BIOS password. The 7-char version of the password is short enough to be accepted by this sort of tool. It is literally the first 7 characters of the admin password.
Secure foreseeable entry points
There is an entire industry dedicated to hardening computer systems. Vulnerabilities exist in all software. Since our system is isolated from the rest of the world, or even other computers on the local LAN, we are not a great risk from the kind of attacks most people have to worry about.
We can do some things:
- Stay current on operating system updates
- Exercise a virus scanner
- Specify reasonable group policies
- Set passwords for the BIOS and iLO
Prevent users from Changing passwords
The prison administration has asked that they have the passwords for all accounts
Preclude opportunities to hide data
We don't want to offer any features that enable a user to hide data such an encryption, or covert messaging.