5.6 PC with Windows 95

Description

A typical PC with the operating system Windows 95 is considered. This PC should not be networked. The PC has a floppy disk drive, a removable or hard disk, a CD-ROM and possibly a mouse. If available, a printer is to be directly connected to the PC. The basis for further considerations is that multiple users will be using this PC.

The following fundamental considerations should also be taken into account:

Essential security properties of Windows 95 can be put into effect only in a server-supported network. If a non-networked Windows 95 computer is operated locally, multi-user operation should be avoided as long as important functions such as control of rights or protocols can still be carried out without the aid of PC security products. The same considerations must be taken even with a single user if this user is to be restricted by an administrator via the system guidelines, as this would actually result in multi-user operation.

Conclusion: A non-networked Windows 95 computer should only have one user who should not be restricted. Restriction of a user is only wise if this eases navigation of the system or if faulty operation can thereby be ruled out. If multi-user operation must nonetheless be implemented, then, for reasons of security, this is only wise in combination with a PC security product. 95

Threat Scenario

For IT-baseline protection of a PC with Windows 95, the following typical threats will be considered:

Force Majeure:

• T 1.1 Loss of personnel
• T 1.2 Failure of the IT system
• T 1.4 Fire
• T 1.5 Water
• T 1.8 Dust, soiling

Organisational Shortcomings:

• T 2.1 Lack of, or insufficient, rules
• T 2.7 Unauthorised use of rights
• T 2.9 Poor adjustment to changes in the use of IT
• T 2.21 Inadequate organisation of the exchange of users
• T 2.22 Lack of evaluation of auditing data
• T 2.36 Inappropriate restriction of user environment

Human Failure:

• T 3.2 Negligent destroying of equipment or data
• T 3.3 Non-compliance with IT security measures
• T 3.6 Hazards posed by cleaning staff or outside staff
• T 3.8 Improper use of the IT system
• T 3.16 Incorrect administration of site and data access rights
• T 3.17 Incorrect change of PC users
• T 3.22 Improper modification of the registry

Technical Failure:

• T 4.1 Disruption of power supply
• T 4.7 Defective data media
• T 4.23 Automatic CD-ROM-recognition
• T 4.24 File name conversion when backing up data under Windows 95

Deliberate Acts:

• T 5.1 Manipulation/destruction of IT equipment or accessories
• T 5.2 Manipulation of data or software
• T 5.4 Theft
• T 5.9 Unauthorised use of IT systems
• T 5.21 Trojan Horses
• T 5.23 Computer viruses
• T 5.43 Macro viruses
• T 5.60 By-passing system guidelines

Recommended Countermeasures (S)

For the implementation of IT baseline protection, selection of the required packages of safeguards ("modules") as described in chapters 2.3 and 2.4, is recommended.

In the following the safeguard group "PC with Windows 95" is presented. The fundamental considerations at the beginning of the chapter (see above) should be observed. The safeguards are divided into the following categories:

• Basic safeguards (essentially, these are the same as for chapter 5.1 DOS-PC),
• Safeguards for multi-user operation,
• Restrictions and
• usage in the network

The following basic safeguards need to be implemented:

Infrastructure:

• S 1.29 (3) Adequate siting of an IT system (optional)

Organisation:

• S 2.3 (2) Data media control
• S 2.4 (2) Maintenance/repair regulations
• S 2.9 (2) Ban on using non-approved software
• S 2.10 (2) Survey of the software held
• S 2.13 (2) Correct disposal of resources requiring protection
• S 2.22 (2) Escrow of passwords
• S 2.23 (3) Issue of PC Use guidelines (optional)
• S 2.24 (3) Introduction of a PC Checklist booklet (optional)

Personnel:

• S 3.4 (1) Training before actual use of a program
• S 3.5 (1) Education on IT security measures

Hardware/Software:

• S 4.1 (1) Password protection for IT systems
• S 4.2 (1) Screen lock
• S 4.3 (2) Periodic runs of a virus detection program
• S 4.4 (2) Locking of floppy-disk drive slots (optional)
• S 4.30 (2) Utilisation of the security functions offered in application programs (optional)
• S 4.44 (2) Checking of incoming data for macro viruses
• S 4.56 (1) Secure deletion under Windows NT and Windows 95
• S 4.57 (2) Deactivating automatic CD-ROM recognition
• S 4.84 (1) Use of BIOS security mechanisms

Contingency Planning:

• S 6.20 (2) Appropriate storage of backup data media
• S 6.21 (3) Backup copy of the software used
• S 6.22 (2) Sporadic checks of the restorability of backups
• S 6.23 (2) Procedure in case of computer virus infection
• S 6.27 (3) Backup of the CMOS RAM
• S 6.32 (1) Regular data backup
• S 6.45 (1) Data backup under Windows 95
• S 6.46 (1) Creating a start-up disk for Windows 95

If many users work on the Windows 95 computer, administration of the computer and division of users is essential. In this case, the following safeguards for multi-user operation must additionally be implemented:

Organisation:

• S 2.26 (1) Designation of an administrator and his deputy
• S 2.63 (2) Establishing Access Rights
• S 2.103 (1) Setting up user profiles under Windows 95

Personnel:

• S 3.10 (1) Selection of a trustworthy administrator and his substitute
• S 3.11 (1) Training of maintenance and administration staff
• S 3.18 (1) Log-out obligation for PC users

If particular user-specific restrictions are to be provided in the user environment, the following safeguards must be deployed (Safeguards S 2.64 and S 2.65 are only effective in connection with S 4.41 or S 4.42):

Organisation:

• S 2.64 (2) Checking the log files
• S 2.65 (1) Checking the efficiency of User separation on an IT System
• S 2.66 (2) The importance of certification for procurement
• S 2.104 (1) System guidelines for restricting usage of Windows 95

Hardware/Software:

• S 4.41 (1) Use of a suitable PC security product
• S 4.42 (2) Implementation of security functions in the IT application (optional)

If the PC with Windows 95 is merged in a network, then, additionally, the following measure is necessary:

Hardware/Software:

• S 4.74 (1) Networked Windows 95 computers

© Copyright by Bundesamt für Sicherheit in der Informationstechnik 2000

Last Update on 6 April 2000