Security Guidelines and Best Practices

Size: px

Start display at page:

Download "Security Guidelines and Best Practices"

Brice Blair
5 years ago
Views:

1 Security Guidelines and Best Practices For your Avid Solution (Last updated 01/16/09) What s New? 1. Added statement in the Antivirus Software section of support for Symantec Endpoint. (01/16/09) 2. Added statement in the Antivirus Software section of non-support for Symantec Endpoint. (01/24/08) 3. New support statement in the Antivirus Software section. (01/10/08) Contents Document Change History General Security Best Practices 1. Install Antivirus Software 2. Install Windows Service Packs and Security Bulletins 3. Disable Automatic Software Updates 4. Install Firewalls 5. Physical Security 6. File Access 7. Write Permissions 8. Isolate Avid Equipment 9. User Password Security 10. Restrict Internet Access 11. Design Your Network with Security in Mind 12. Secure Remote Access 13. Do Not Allow File Sharing Applications on an Avid System 14. Do Not Run Clients on your Avid System 15. Do Not Allow Unsecured Instant Messenger Clients on your Avid System 16. Use Only Licensed Software 17. Develop a Backup Strategy Recovery: what to do if a virus infects you Appendices 1. Suggestions for Setup and Configuration of Antivirus Software 2. Institution of Policies 3. Disabling DCOM on the Windows NT File Manager 4. Information about Viruses 5. Microsoft Security Bulletin Evaluation Archive Bibliography Document Change History 1. Added statement in the Antivirus Software section of support for Symantec Endpoint. (01/16/09) 2. Added statement in the Antivirus Software section of non-support for Symantec Endpoint. (01/24/08) 3. New support statement in the Antivirus Software section. (01/10/08) 4. Updated qualified versions for both Symantec and TrendMicro in the Antivirus Software support statement. (02/24/06)

2 Page 2 of 8 5. Added qualified version to TrendMicro Antivirus Software support statement. (10/19/05) 6. Added qualified version to Symantec Antivirus Software support statement. (10/13/05) 7. All Security Bulletin information has been broken out into the Microsoft Service Pack and Security Bulletin Support Addendum document. (01/13/05) 8. Support announced for December security bulletin MS (01/07/05) 9. Microsoft announces four more security bulletins for December. (12/15/04) 10. Microsoft announces a new security bulletin for December. (12/02/04) 11. Microsoft announces (and re-releases) a new security bulletin for November. (11/10/04) 12. Significantly expanded content links, and added restricted What s New section covering current two months which supplements the Document Change History and keeps the newest information visible at the top of the document. (11/10/04) 13. Support announced for Microsoft s October bulletins. (10/22/04) 14. Informational note on Windows XP Service Pack 2. (10/14/04) 15. Microsoft announces 10 new and one re-released security bulletins for October. (10/14/04) 16. Support for MS announced. (9/23/04) 17. Windows critical security bulletin, MS04-028, is under test. (09/17/04) 18. Windows XP SP2 support deferred until the next editor release in Q4. (09/17/04) 19. Testing of Windows XP SP2 is underway, and should be completed within a week. (08/11/04) 20. Support for MS (as well as MS04-019, 020 and 024) announced. (08/11/04) 21. Microsoft announces release of MS and re-release of MS (08/11/04) 22. Microsoft announces a new critical security update for Internet Explorer, MS (08/02/04) 23. Support for the two critical July bulletins announced. (07/21/04) 24. Updated service pack support information for Avid Broadcast / inews products. (07/19/04) 25. Microsoft announces new Security Bulletins for July. (07/19/04) 26. Support for June bulletin MS announced. (07/19/04) 27. Microsoft announces new Security Bulletins for June. (06/10/04) 28. Updated directives regarding May Security Bulletins. (05/14/02) 29. Microsoft announces new Security Bulletins for May: no change for Avid products. (05/12/04) 30. Expanded information regarding Microsoft s security bulletins (05/12/04) 31. Support for Microsoft critical security bulletins for April announced. (05/03/04) 32. Fixed erroneous statement regarding SQL Service Pack support. (03/30/04) 33. Enhanced information and links in the Microsoft Security Patches section. (03/26/04) 34. Support for Microsoft SQL SP4 on the Avid Unity MediaManager announced. (03/03/04) 35. Support for Microsoft critical security bulletins MS and MS announced. (02/25/04) 36. A Microsoft-supplied solution for issues around Windows security bulleting MS (KB824141). (02/25/04) 37. Support for Windows 2000 SP4 in the Avid Unity File Manager (MediaNetwork v. 3.4 and later). (02/25/04) 38. Announcement of support for Trend Micro s antivirus software ServerProtect and OfficeScan. (01/09/04)

3 Page 3 of 8 General Security Today s networking and computing environments continue to grow in complexity. Security is an everincreasing concern. Whether you have a few computers attached to your network or a large enterprise network, it is important to follow some basic guidelines to protect your infrastructure. Work with your Information Technology (IT) department to develop a sound security plan. Security is an investment. Investing in computer and network security measures that meet changing business requirements and risks makes it possible to satisfy changing business requirements. The next section lists a series of Best Practices that might be helpful in developing your Security Plans and Policies. This information generally applies to Windows-based systems. For Macintosh client information, see Best Practices 1. Install Anti-virus Software Using anti-virus software to protect your site and to thwart potential viruses is extremely important. Avid recognizes this and has qualified the anti-virus solutions listed below. However, please be aware that even with anti-virus software installed, you may still be susceptible to viruses. It is important to keep up to date with the latest virus definitions. We recommend that you have a properly trained IT administrator install and configure the Anti-virus software, so that you do not have performance problems. Avid Supports the following antivirus solutions Symantec Endpoint Antivirus Corporate Edition, v. 11 Symantec (Norton) Antivirus Corporate Edition, v. 9.0 and v and higher NOTE: Scheduling updates during off-hours is advisable. Critical operations could be interrupted if an Automatic update were to occur (e.g.- digitize, digital cut, send to playback). Also, you can consult with an Avid Certified Support Representative (ACSR) for assistance. See the Suggestions for Setup and Configuration of Anti-Virus Software in Appendix 1 and Information about Viruses in Appendix 4 for more information. 2. Install Windows Security Patches and Service Packs To download patches, follow the links below. These links will bring you to the individual pages for each security patch on Our strategy is to test all Windows Service Packs and security bulletins (sometimes incorrectly referred to as hot fixes ). It is Avid s goal to protect our customers infrastructures from the resource-draining effects of an enterprise-wide virus attack. NOTE: Avid is dependent on Microsoft s timely distribution of service packs and security patches; we must test our solutions before claiming support for each service pack or patch. Sometimes code changes are required in this process. Please see the Microsoft Service Pack and Security Bulletin Support Addendum document for all details pertaining to Microsoft service packs and security bulletins. 3. Disable Automatic Software Update Avid cannot guarantee the compatibility of automatic updates of Mac OS X or Windows XP, or any updates to system software components. For this reason, you should:

4 Page 4 of 8 (Macintosh) 1. Select System Preferences > Software Update. 2. Deselect Automatically check for updates when you have a network connection. (Windows) 1. Select Control Panel > Performance and Maintenance > System 2. Click the Automatic Updates tab. 3. Deselect Keep my computer up to date. 4. Install Firewalls There are many commercially available hardware- and software-based firewall packages. You need to evaluate them based on risk and cost. Consult with your local IT department or seek outside professional networking/security expertise. A firewall is simply a barrier created to protect your computer system from attacks. It is either a program or hardware device that filters the information coming from the Internet, and if the incoming information is flagged by the firewall, then it is not allowed through. Depending on how a firewall is configured, it can be used to block access to specific sites on the Internet and can block specific external traffic coming in from the Internet. It also can be used to log and lock down source and destination ports, so that tracking can be done on anything inappropriate coming in or going out. Windows XP has its own built-in firewall, but if you don t want to use it, you can purchase firewall software such as Norton Firewall or Zone Alarm. NOTE: We do not recommend running software-based firewalls on the CLIENTS. This could adversely affect performance. Typically, Avid systems are isolated from the rest of the network, but have uplink to the outside world via a corporate backbone. This is where the firewall can be most effective on an enterprise network level. 5. Physical Security Use keyboard/screen lock passwords to disable unauthorized access to your workstation, or log out completely. When you leave your work area at the end of the workday: If you work in an office that can be locked, and where local health and safety regulations allow, lock the office. If you don t work in an office and if you use a portable ( laptop ) computer, lock it in a desk or filing cabinet, or take the computer with you. Servers with critical data should be locked in a secure IT closet or Datacomm room. 6. File Access NEVER share a folder or drive to Everyone with full-access. 7. Write Permissions Do not store files with a.exe extension in directories with write permissions. 8. Isolate Avid Equipment If possible, keep all Avid Broadcast equipment on a separate network that is isolated from other machines in the facility. 9. User Password Security Passwords are the primary key to computer and application access security. The password uniquely identifies you, and allows you access to information and computer services. You might want to require personnel to keep passwords secret and not share them with anyone else. Prohibit the use of any methods or

5 Page 5 of 8 attempts to learn the password of another user. The following are some password recommendations: At least 8 characters in length Contain at least an alphabetic or other non-numeric character in the first and last position. Does not contain your name or ID as part of the password. Change at least once every six months. ALWAYS assign a local Administrator password on every machine. Not assigning a local Administrator password can introduce a serious security risk. Default passwords should never be used When changing your password, you must select a new password, i.e., do not change the password to one that you used in the past Do not use any part of your name, maiden name, children s names, pet s names, address, telephone numbers, or social security number. Disable the guest account in Windows. Use encryption and authentication. 10. Restrict Internet Access Disallow Internet access on any Avid Broadcast machines that do not require it. 11. Design Your Network with Security in Mind You may elect to deploy routers, use multiple subnets and virtual LANs (VLANs) to improve your security. Avid recommends you keep your Avid systems on the same subnet and VLAN. Consult with your IT department or seek outside professional networking/security expertise. Discuss your network topology with your Avid Client Service Representative (ACSR) as well. 12. Secure Remote Access Make sure there is strict control on all Remote Access Connections. Only allow properly secured connections to access your network. Do NOT allow ANONYMOUS FTP, TFTP, or other unauthenticated access to program or data files on your workstations. 13. Do Not Allow File Sharing Applications on an Avid System For example, Kazaa or Napster. Programs of this type might allow outside access to your secure data. 14. Do Not Run Clients on your Avid System For example, Outlook or Eudora client. Avid recommends you only run Avid applications on your Avid editing clients and productivity servers. Use another computer to view and read . Many viruses are communicated via attachments. You might want to block certain file types as attachments. The best advice is to never even open (read) an message whose sender you do not recognize. You should not open attachments unless you can verify the contents and be sure that it is safe to open them. 15. Do Not Allow Unsecured Instant Messenger Clients on your Avid System For example, Yahoo, AOL, MSN. These instant messaging clients might cause your network to be vulnerable from outside attack. 16. Use Only Licensed Software Do not use freeware or shareware. Make sure that you have valid Microsoft licenses and that you are not duplicating licenses. You must have a valid license for all licensable software that you install on your computers. Never copy or duplicate licensed software, except as explicitly allowed in the license terms and conditions.

6 Page 6 of Develop a Backup Strategy. Create images of your workstations. You should also test restoring the image. Avid provides Product Recovery CDs for our server products. Recovery: what to do if a virus infects you Develop a procedure to follow if infected by a virus. A clear and concise cleanup procedure, created with input from all teams involved in the process, will help everyone do their jobs efficiently. The effort will include personnel from the help desk, messaging, Web server administration, server operations, workstation operations and other work groups. The following steps may be helpful in this plan. If a Virus is detected: Isolate it by removing the affected computer from the network immediately Inform your Network Administrator and other staff Get the latest profile/patch from the Anti-Virus provider and apply it ( Scan all other computers for viruses to ensure there are no other infections If this is not successful, restore the backup or recovery image to the affected computer For more detailed information see this article Appendices 1. Suggestions for Setup and Configuration of Antivirus Software 2. Institution of Policies 3. Information about Viruses 1. Suggestions for Setup and Configuration of Antivirus Software: Antivirus software should be installed on any system that is connected to a corporate network, connected outside to an online provider, or interconnected to others that have access to the corporate network or other outside access. This pertains to servers (File Manager, PortServer, Media Server, Media Manager, Transfer Manager, ProEncode) and clients (Editors, Media Browse, inews, Graphics stations, etc). During the installation of Norton Antivirus it is imperative that you pay particular attention to a few options: Deselect Auto-Protect. This will scan all newly created and copied files. This can slow performance down considerably. Deselect Enable weekly scans of hard drives.. This could take place at inopportune time affecting critical tasks. Disable Live update. NOTE: You can have Live update enabled, but you must be sure to schedule it at a time when you are certain the systems will not be utilized for critical activity during that period. The risk is that an important task will have to contend for resources when an automatic Live Update occurs and cause a performance bottleneck. Your IT Department might want to determine the schedule of updating your virus definitions. Performance of Avid s Shared storage solutions can be adversely affected by outside factors. For example, one can cause performance degradation if you configure certain Antivirus software parameters improperly. Specifically, if you enable the software to perform real-time scanning, or Auto protect, the antivirus software

7 Page 7 of 8 will search through all local, network, and shared storage. Avid Unity disk arrays can be very large and therefore a misconfigured antivirus application could continuously scan for problems and viruses. This could result in increased CPU/memory utilization, disk I/O traffic, and lost performance on the editing clients as well. Appendix 2. Institution of Policies While following the guidelines outlined earlier it is critical to protect your broadcast network from infection, some of the responsibility must be passed on to users to keep the system free from infection. To this end, Avid recommends that the following policies are enforced by the IT department and followed by all users of Avid Broadcast products. 1. Perform a complete system scan of any machine before attaching it to the same network as any Avid equipment. 2. Perform a complete scan of any material on Floppy, Zip or other external media before copying it to, or running it on, any on-air Avid product. 3. Do not copy material to an Avid product that is used in 24/7 operation. As scheduling virus scanning of these components can be difficult, material should only be transferred during maintenance periods. 4. Do not download files directly from the Internet on any Avid on-air machine. Appendix 3. Information about Viruses 3.a Sources of Viruses In order to protect your facility against viruses, it is first important to understand how computer systems can get infected. The most common sources of infection are summarized below. 1. External Media Media is very commonly brought into Avid Broadcast facilities through an external medium such as a floppy disk, Zip disk, or an external drive. All Avid Broadcast media is scanned for viruses as part of the delivery of Gold Release candidates prior to manufacturing. This assures that the.iso image is virus free for manufacturing and distribution. Avid Broadcast media not distributed by manufacturing is at risk and should be scanned prior to loading on an Avid Broadcast product. 2. Internet Files downloaded from the Internet or are always at risk of being infected. This is the most common source of viruses that can get introduced into a Avid product. 3. Networked PC s Avid products are commonly networked with other PC s in a broadcaster s facility. This can be a risk for infection as some viruses spread machine to machine. 3.b Types of Viruses A computer virus is a computer program that is written by a malicious author. They spread by copying themselves, then transferring on to other computers. There are around 53,000 computer viruses in existence, with a new one detected every 18 seconds. A computer virus can do anything from popping up a short message to wiping key files so your computer doesn't work

8 Page 8 of 8 Worms A worm virus spreads via computer networks. The ILOVEYOU virus above was a classic example of a worm. These viruses are becoming an increasing threat as a growing number of computers are permanently connected to networks. Worms can spread over corporate networks or via s sent over the Internet. Trojan horse A Trojan horse virus takes its name from a story in Homer's Iliad where Greek soldiers pretended to make peace with their enemies, the Trojans. The Greeks made a grand peace-keeping gesture the gift of a large wooden horse. When the Trojans hauled it inside their city gates, a small band of Greek warriors leapt out. They opened the gates and let the rest of the Greek army storm in to capture the city. A Trojan horse virus is one that opens your computer up to malicious intruders, allowing them to read your files. File Viruses A file virus is one that replaces a key system file on your computer. These viruses can reload themselves every time you start your computer. Once they're in the memory, they can spread by writing themselves to any disk you insert into your disk drive. Boot Sector Viruses This is an early type of computer virus that spreads by hiding itself in an invisible location on your hard drive or floppy disk. When your computer reads an infected floppy disk, the virus is copied from the disk to your computer's memory. From there, it writes itself to the 'boot sector on your hard drive. The boot sector is read each time you turn your computer on. So the virus is constantly reloaded and can copy itself on to other floppy disks. These viruses are fairly rare nowadays, as they are easy to catch. Macro-Viruses A macro-virus infects word processor files, such as Microsoft Word documents. Although not as dangerous as other viruses, they can spread quickly if a Word file is sent via . After an initial scare, Microsoft added protection into later versions of Word, so you receive a warning about infected documents. Hoaxes The virus hoax came about after friends sent each other s about a new virus threat. Someone decided that they could cause just as much trouble by sending out fake warnings rather than real viruses. Hoaxes may seem harmless, but they do a great deal of damage to the Internet as a whole. Not only do they slow down traffic and clog up servers, but they also cause people to panic. Companies can spend money and time investigating what is just someone's idea of a joke.

Microsoft Service Pack and Security Bulletin Support Addendum

Microsoft Service Pack and Security Bulletin Support Addendum to the Avid Security Guidelines and Best Practices document (Last updated 02/28/17) What s New? 1. Support announced for February s security