Security is of paramount importance to the Managed Workstation Service. We recognize that one of the biggest reasons for using a professionally managed computer is to minimize risk to you, your department, and the University. Our service design prioritizes security while still balancing user friendliness.
Security configurations for Managed Workstations
Performing an informal risk assessment is one way to evaluate what an appropriate level of system management might be for your computer.
Managed Workstation provides a base level of workstation configuration and best practices. If the needs of your department differ from that base level, we can work with you to create specific solutions that meet your needs, including higher or lower security levels for some or all of your devices and users.
Here is information on how to conduct your own risk assessment, and the ways one could modify a managed workstation to lower risk. Additionally, you can review the UW CISO’s recommendations about securing laptops.
When considering risk, the following questions can help start the process:
- What are the risks or threats you are concerned about?
- Do you access or store confidential or restricted data?
- Do you or your department have processes dependent on using a specific computer?
- Would someone else logging into a computer potentially have access to data they shouldn’t?
- How likely are those threats or risks?
- What level of risk is acceptable to you and your department?
- What might be the impact and cost should an adverse event occur?
- What might be the impact and cost to implement mitigations to address the risk?
Additionally, there are several sources on campus to help you know and understand your responsibilities and help you consider the risks you face:
- Office of the Chief Information Security Officer
- Internal Audit’s Common Audit Recommendations
- UW Privacy and System Security Council (PASS Council)
- UW computer and data security policies
- UW Data Classification
- APS 2.4 – Information Security and Privacy Roles
- APS 2.5 – Information Security and Privacy Incident Management
- APS 2.6 – Information Security Controls and Operational Practices
- Securing laptops.
If your workstation requirements are very low-risk, you might considering using a device that is not managed by the Managed Workstation Service (MWS). Examples of how MWS can add value to non-MWS devices (Bring Your Own Device, or BYOD):
- Connect via Remote Desktop to your Managed Workstation Service (MWS) desktop for applications and data that should stay on a well-managed system.
- Store non-confidential files on U Drive, or use Google Drive on both your MWS and BYOD devices.
- Use the MWS VPN service to securely connect to campus from off-site locations.
- Install the same anti-virus software MWS uses on your device – it is available from UWare for both UW and personally owned devices.
- Use Chrome browser to have access to your Favorites and share the same Chrome Applications between your devices (Including your MWS workstation).
Here are some of the ways one could modify a MWS workstation or its usage to lower risk that require a low level of effort:
- Enable a password-protected screensaver that locks your computer after 5-10 minutes of inactivity.
- Don’t open attachments in email you aren’t expecting or click links in email. See protecting your email for additional info.
- Periodically perform a full system virus scan by double clicking the Sophos icon in the system tray and then clicking on the “Scan” button.
- Use Chrome, Edge or Firefox instead of (or in addition to) Internet Explorer. Don’t accept offers to install toolbars or other add-ons.
- Minimize the software you install that isn’t available from UWare or Managed Workstation Service (MWS) directly.
- Regularly review the list of applications installed on your system and uninstall anything you don’t use anymore.
- Always use a VPN connection, regardless of your location or device, for UW work.
- Change your UW NetID password regularly and don’t use it for any other accounts.
- Do not use your UW NetID and password on any device which is not well managed. If you do, change your password as soon as possible.
Here are some of the ways one could modify a MWS workstation or its usage to lower risk; these require a medium level of effort:
- Use the most current version of Windows 10 with the most up to date Operating System for better default security.
- If your system has a virus infection, have your system re-imaged instead of trying to “clean” it. It is very difficult to completely remove a virus from a system short of a rebuild.
- Enable BitLocker on all your computers (desktops and laptops). BitLocker encrypts the contents of the hard drive when the computer is off.
- Disable “File and Printer Sharing” to close open ports on your computer; you can still save and print.
- Enable auto-updating in applications wherever available (Acrobat, Reader, Java).
- Move your workstation to a private network, which is not directly accessible from off-campus.
- Do not use USB keys or thumb drives if you can avoid it. If you can’t, make sure they are encrypted and that your antivirus software will always scan them.
- Disable local accounts.
Working with your department, MWS can help design additional security configurations that apply to your computers. Among the possibilities:
- Configure custom and highly restrictive local firewall rules.
- Disable all local accounts automatically.
- Restrict logins and/or remote desktop access to specifically named users on each computer.
- Tightly restrict who has administrative privileges on each computer
- Enhance the monitoring and notifications of potential problems such as missing updates.
- Regularly review system logs to identify suspicious or unknown activity.
- Require two-factor authentication to log into a computer.
- Provide workstation software configurations that are “locked down” and audited for change.
Please contact MWS to arrange for a discussion about what measures may be best suited to your needs.
If you have any questions or would like assistance, please contact Managed Workstation (firstname.lastname@example.org).