Privacy and IT security for personal computers

Please use the offered HZB services. The use of Dropbox, Gmail, or other cloud services can lead to loss or disclosure of your data and may violate your contractual obligations. For appointments with external participants, please use the DFN scheduler from our network provider DFN.

Knowledge of the possible hazards and their prevention are the best protection.

General Information on IT security, see e.g. Securtity Pages of CERN. Please read through everything there quietly - the problems and their solutions are from those in HZB not very different. Privately, you will benefit from this knowledge.

PC users may also read the CERN recommendations for good work with the PC.

The PCs on the HZB network can be used by anyone with a valid ID HZB. They are also a worthwhile destination for a spying with the help of malicious software (Trojans). On Windows PCs, the files and settings stored locally on the PC, with Linux PCs on central servers at the FM-D in the home directory of the user.

To keep the files confidential, they must be protected against unwanted access. Please remember, that files stored outside the network HZB can be accessed by a third party without your consent! The following are the methods of protection and their use on Windows or Linux / Unix / MacOS systems are described in HZB.

 

How to enchance security on your PC

All systems

  • Use the services of the HZB.
  • Use only the latest software versions.Do you play a security update, if that does not happen automatically.
  • Use a web browser add-on to block scripts, such as NoScript for Firefox, video about it (Also prevents advertising).
  • Avoid clicking links in e-mails. You might reveal more than you'd like.
  • Open no e-mail attachments or links in unsolicited e-mails. Do not open or run these files even after you have saved it.
  • Use webmail on suspicious shipments, please do not open any links here, too.    
  • Never resend suspicious attachments or e-mails to anyone. Not even us!
  • Please do not lapse into panic. Despite the many attempts dangerous e-mails are rare relative to the usual spam.
  • Do not use cloud services like Dropbox, Google etc. for file storage.

Windows

 

  • Keep your programs current with the Windows Update system.
  • Avoid local shares. Use the group directories, the network clipboard or iFolder on the central servers. Here also check the access rights!
  • Put your files locally on the PC only in My Documents. This directory is set up with a centralized policy (a rule in the Active Directory) on the D drive.
  • Check the rights to this directory using Windows Explorer by right-clicking the folder and select Properties, then select the Security tab there. The rights are inherited by all files in that directory. Default access is prohibited for all except the owner.
  • Check the permissions of files in the shares with Windows Explorer and correct them if necessary.

Linux / Unix

 

  • Write umask 022 into the shell initialization file .cshrc. This sets the access permissions for new files and directories on "Reading for All, writing only for the owner".
  • Create a directory that will contain confidential information with mkdir directory name.
  • Change the permissions on this directory with chmod 700 directory name. Result: access forbidden, except for the owner.
  • Save confidencial files only in this secured directory.
  • Check your files and directories with ls -la upon correct rights.
  • Please do not put the rights too restrictive in your home directory, since many applications must at least be able to read files. In sub-directories there are no such restrictions.
  • For the treatment of e-mail attachments in unsolicited mails, please also read the instructions for Windows systems, even if the risk is much lower here.

Stricter measures for access control

 

If the files are very confidential, you can use encryption techniques. On Windows, with the following procedure you can store encrypted files and folders in the file system:

  1. Right-click on the file or folder
  2. Select Properties under General, then select Advanced
  3. Select Encrypt contents to secure them
  4. Finish with OK

If you want to share files or folders in a secure manner, you should use archiving programs with encyption options such as WinZip (Power Tip: encryption). WinZip is available through SMS for Windows.

PGP is somewhat more complex. A popular implementation is GPG, e.g. in the KDE version of Linux kgpg or for Windows gpg4win. Very useful is the documentation for gpg4win   gpg4win für Durchblicker (sorry, in german only).

More information

You may find more information in detail at the page Privacy and IT security with PCs: Background


[at]