The Restricted Data Environment: Issues Relating to Network-Connected Clients

Last change: September 7, 2007

The most secure (and by far the easiest to manage) environment for using restricted data files is a standalone workstation: a computer with no network or dial-in/out connectivity. However in rare instances, circumstances are such that a researcher might need to use her/his workstation to access a local-area or wide-area network. For example, a researcher might need access to an e-mail server or to a library catalog server. Another situation where Internet connectivity might be necessary would be inter-institution collaborative efforts.

This document suggests procedures for improving restricted data file security and integrity in a network-connected workstation environment. Restricted data applicants should be aware that maintaining security in a network environment is complicated and can require considerable technical skill and experience. Before formulating a restricted data plan that requires a network environment, be sure to consult your local network administrator.

Step 1. Visit HRS Restricted Data: Overview. This Web site provides background information for researchers who wish to obtain access to Health and Retirement Study restricted data. Be sure to review Developing a Data Protection Plan .

Step 2. Think carefully about whether or not you really need network access. Modern personal computers and workstations are capable of supporting all but the most esoteric and complex statistical software routines. In addition, the plummeting cost of disk storage space makes it possible to maintain large (multi-gigabyte) data structures on a local machine rather than a network server. It may well be that you do not need any network resources to analyze your restricted data. The preferred environment for analysis of restricted data is a standalone workstation.

Step 3. Do some research on security issues relating to your workstation. Begin by consulting your network administrator to determine the security strengths and weaknesses of the network. It would be useful for you to review one or more of the security references listed at the end of this section. Remember that a workstation (Windows XP, Macintosh OS-X, or Linux/Unix) is really a multiple-user system with one user: you. You are the system administrator for your workstation. As such you will need to acquaint yourself with a rudimentary knowledge of system management issues: password management, system backups, emergency recovery procedures, printer installation and management, security reviews, anti-virus/anti-adware software installation, local firewall configuration, intrusion detection.

Step 4. Limit access from the network to the workstation. The goal of this step is to reduce the attack footprint by minimizing exposure of local workstation resources to the network.

Access limitation should include, but not be limited to the following actions:

1. Talk with your system admistrator about configuring your system to run as user rather than administrator.
   
   
2. Remove or limit domain-user authentication to the workstation. Example: if a Windows XP workstation has a trusted relationship with the network Primary Domain Controller, it is possible for users other than the workstation’s owner to login and use workstation resources. Make sure that if you can login as a domain user, others can’t.
   
   
3. Make sure that local workstation resources are not shared across the network. Example: Windows XP supports sharing of local folders with other users on the network. If permissions on these folders are not set properly, folder contents could be accessed by unauthorized users. In a Unix environment make sure that client mounted filesystems are not visible across the network.
   
   
4. If other people must use this workstation (a bad thing), you will need to review directory and file permissions as well as encryption procedures in order to ensure that restricted data areas are protected. These users will also need to sign the Supplemental Agreement with Research Staff for Use of HRS Restricted Data.
   
   
5. Disable all Internet services on the workstation. This means that your workstation should not be acting as a Web server, FTP server, or peer-to-peer network node. It should also not support inbound telnet connections, UUCP connections, remote desktop connections, or network services such as RPC and NFS.
   
   
6. Disable any type of Web-active software that sends information about you and your local machine back to a central server (see Step 6, below).
   
   
7. Disable Voice Over IP (VOIP) software (Skype or Vonage or ...).
   
   
8. Disable any type of peer-to-peer network/media-sharing software (BitTorrent or eDonkey or Gnutella or kaaza or iMesh or Limewire or Soulseek or ...) that may be running on your workstation. Do not use social networks such as Facebook or MySpace.
   
   
9. Keep your e-mail and instant messager clients updated to minimize the possibility that they might provide an avenue for intrusion. Don't open attachments emailed to you from unknown sources. In fact, don't open any attachment unless you are absolutely sure of what it contains.
   
   
10. If you are using a Web browser, make sure that you limit the ability of Web servers to launch applications on your workstation. If you are using Firefox/Mozilla/Netscape, disable Java, Javascript, and Auto-install unless one of these features is absolutely. If you are using Internet Explorer, make sure that Active-X applications are not launched. You should also avoid downloading plug-ins. Browser security options should be set to their most secure level. For example, Internet Explorer allows you to set security levels on unknown Internet computing sites to "High", limiting execution of active content.
    
    
11. Disable other forms of connectivity. If you have a modem attached to the workstation for FAX or dial-out use, disable it during the period when you are working with restricted data. Do not use the network printer; instead use a local printer that is not shared over the network.
    
    
12. Choose an approved workstation operating system: Windows XP, Mac OS-X, and all flavors of Unix including Linux. When properly configured, Windows XP Professional is approved for use with HRS restricted data in both standalone and networked modes. If you wish to use a Windows XP Professional client as part of a domain, be sure to review your use of Encrypting File System services with your network administrator. If you have questions on this issue, contact HRS Restricted Data Technical Support.
    
    
13. If your workstation is running any version of the Windows OS earlier than XP, it should be updated. Since Windows NT is no longer supported by Microsoft, data protection plans that specify its use are not approved. It is not possible to maintain a secure environment when using MSDOS-based versions of Windows (ME/98/95); these operating systems are not approved for use with HRS Restricted Data.
    
    
14. Do not use Web services such as Google Desktop (or Yahoo Toolbar or, even worse, fake spyware toolbars) that may expose your local resources to external users.
    
    

Step 5. Install file and network encryption software. By encrypting restricted data files that when they are not in use, you will make it almost impossible for an intruder to view/remove confidential data, even if the intruder is able to access your workstation. Look for software that uses a strong encryption scheme (static key size of 128 bits or more; public/private key size of 1024 bits or more) for file encryption. Be aware that encryption schemes based on 40 or 56 bit key sizes are not secure. Examples of software packages suitable for use in research environments that meet the strong encryption requirement are:

• Best practices for the Encrypting File System: Information from Microsoft Support on using EFS in workstation and server environments. Once it is properly configured, EFS allows Windows users to enable encryption for any file or folder that resides on an NTFS partition. Once the encryption property is set for a folder, any file within that folder is automatically protected, and the encryption/decryption process is transparent to the user.
• PGP (Pretty Good Privacy) is available for all flavors of operating system; contact the PGP Corporation.
• BestCrypt, from Jetico at http://www.jetico.com/: Data encryption packages for Windows and Linux environments.
• Pointsec PC (http://www.checkpoint.com/products/datasecurity/pc/index.html): Provides full-disk encryption plus access control for PCs and laptops.
• SSH Communications Security (http://www.ssh.com): Network communications security using the SSH protocol. There is also an open-source implementation of the protocol: details at http://www.openssh.com/.

Step 6. Install anti-virus software, anti-adware/malware software, and firewall software. Your Internet connection serves as an excellent delivery system for malicious software (hostile self-replicating computer programs, "worm" programs such as the Netsky.P virus and "trojan horse" applications such as BO2K) Although e-mail macro viruses with various payloads are currently in the news, hostile applications can be introduced into your computer system through any open IP port. Anti-virus software packages provide an additional line of defense against Internet intrusions. You should obtain, install, and keep current, an anti-virus software package suitable for your computing environment. If you plan to use restricted data on a network-connected workstation with Internet accss, you must install firewall software on your workstation. Depending on your local environment, it may also be necessary for you to re-configure your LAN to provide hardware firewall protection. Contact your network manager and HRS for details. You may wish to visit the following Web sites for more information on anti-virus, anti-spyware, and firewall software products:

• http://csrc.nist.gov/itsec/guidance_WinXP.html: Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist (Special Publication 800-68)
• http://www.itd.umich.edu/virusbusters: Virus Busters, The University of Michigan
• http://www.safer-networking.org/en/index.html: SpyBot Search and Destroy
• http://www.lavasoft.de: Lavasoft Ad-Aware
• http://www.virusbtn.com: Virus Bulletin
• http://www.scmagazineus.com/: Secure Computing Magazine
• http://www.ciac.org/ciac/: Computer Incident Advisory Capability (CIAC)
• http://www.firewallguide.com: Home firewall guide, including software reviews

References:

Bott, Ed and Carl Siechert. Microsoft Windows Security Inside and Out for Windows XP and Windows 2000. Microsoft Press, 2003. ISBN 0-7356-1632-9

Bragg, Roberta. Windows 2000 Security. Indianapolis, Indiana: New Riders, 2001. ISBN 0-7357-0991-2

Garfinkel, Simson and Gene Spafford. Practical Unix and Internet Security. Sebastopol, CA: O’Reilly & Associates, 1996.

Lockhart, A. Network Security Hacks. O’Reilly, ISBN 0-596-00643-8

McNab, C. Network Security Assessment. O’Reilly, ISBN 0-596-00611-X

Northcutt, Stephen, et al. Inside Network Perimeter Security: The Definitive Guide to Firewalls, VPNs, Routers, and Intrusion Detection Systems. New Riders, 2003. ISBN 0-7357-1232-8

Russell, Deborah and G.T. Gaugemi, Sr. Computer Security Basics. Sebastopol, CA: O’Reilly & Associates, 1992. ISBN 0-937175-71-4

Rutstein, Charles B. Windows NT Security. New York: McGraw-Hill, 1997. ISBN 0-07-057833-8

Strebe, Matthew and Charles Perkins. Firewalls. San Francisco: Sybex, 2002. ISBN 0-07821-4054-8