An appropriate backup strategy does not exist for the data.
Data integrity and availability are key security objectives. Adequate data backup is one strategy that is crucial to meeting these objectives. Although users of desktop applications may not be creating mission critical data, all their data represents a resource that, if lost, could result in a permanent loss of information or productivity.
A backup strategy is highly dependent on the physical and logical environments. In environments where users frequently operate disconnected from a LAN, as in the case of notebook PC users who travel, it is not generally practical for the users to store all their data on a file server. Developers may require standalone copies of program code while additions or alterations are in progress. For these and other reasons, strict requirements for desktop backup are not addressed in this document. However, this section does provide recommendations that should be considered.
Users should make conscious decisions about the physical location where desktop application data is stored. They should be aware of the backup policy for that location. Any backup policy should be implemented in accordance with the following:
- Mission critical data should be stored on file servers with a formal data backup policy. Storage of mission critical data on desktop machines should be considered temporary.
- To the greatest extent possible, data files should be stored in a directory hierarchy that is separate from program files.
- An incremental, or change-based, backup solution can be used daily.
- A full data backup solution should be used at least weekly.
- Use of a Compact Disk-Recordable (CD-R) or Compact Disk-ReWritable (CD-RW) drive should be considered for desktop machines. CD-R and CD-RW disks provide high capacity at relatively low cost.
- The backup data should be stored on media or another machine that is not physically close to the original data source.
- Backup media should receive proper care according to its characteristics. Regular rotation of tape media is necessary to ensure usability. The media should be clearly labeled, including any appropriate security classification marking.
- Backup tools and schedules should be documented.
- Restoration tools and methods should be documented and they should be tested via restoration at least annually.
Public instant message clients are installed.
Instant Messaging or IM clients provide a way for a user to send a message to one or more other users in real time. Additional capabilities may include file transfer and support for distributed game playing. Communication between clients and associated directory services are managed through messaging servers. Commercial IM clients include AOL Instant Messenger (AIM), MSN Messenger, and Yahoo! Messenger, and Skype. The Windows XP operating system includes the Windows Messenger component as an IM client. (This should not be confused with Windows Messaging which is a service within Windows.)
IM clients present a security issue when the clients route messages through public servers. The obvious implication is that potentially sensitive information could be intercepted or altered in the course of transmission. This same issue is associated with the use of public e-mail servers.
In order to reduce the potential for disclosure of sensitive Government information and to ensure the validity of official government information, IM clients that connect to public instant messaging services will not be installed.
NOTE: Clients used to access an internal or DoD controlled IM applications are permitted.System AdministratorECIM-1
Peer to Peer clients or utilities are installed.
File-sharing utilities and clients can provide the ability to share files with other users (Peer-to-Peer Sharing). This type of utility is a security risk due to the potential risk of loss of sensitive data and the broadcast of the existence of a computer to others. There are also many legal issues associated with these types of utilities including copyright infringement and intellectual property issues. These types of utilities and clients include the following examples, Napster, Gnutella, Kazaa, and Freenet.
NOTE: Clients used to access an internal or DoD controlled file-sharing system are permitted.System AdministratorECSC-1
Execution Restricted File Type Properties
For certain file types, it is necessary to take steps to ensure that the default method of opening the file does not allow mobile code to be executed. Two techniques to achieve this goal are discussed here—altering the default file type Action and deleting the file type definition. Although methods of removing Microsoft’s Windows Script Host (WSH) component might meet most of this requirement, that technique should not be the first choice. It would disable functionality that might be in use for other purposes, and the specific method used would have to be compatible with the Windows File Protection (WFP) feature present in later versions of Windows.
The default Action property can be altered to change the standard default Action from Open to Edit. When this technique is used, instead of executing a program with the file contents as code, an editor is opened with the file contents as a document. For example for a .vbs file, the Open action may be the command ’C:\WINNT\System32\Wscript.exe "%1" %*’ and the Edit action may be the command ‘C:\WINNT\System32\Notepad.exe "%1" %*’. Changing the default action to Edit results in a Notepad window opening up instead of the file being executed by the Windows Scripting Host when the .vbs file is opened. For non-technical user communities, an alternative that may be more appropriate is to have the Edit action be the command ’C:\WINNT\System32\Notepad.exe "C:\MC_Warn.txt"’, where the file C:\MC_Warn.txt is created locally and contains a warning that the user has attempted to open a potentially dangerous file.
When altering the default file type Action is the technique used, the Always show extension setting adds additional value. This ensures that users can see the file type before attempting to open it.
While the alternate technique of deleting existing Windows file type definitions does provide security, it is not always a more secure long-term solution. During maintenance or product installation, a non-existent file type is usually defined while existing file type properties are usually not overwritten.
Regardless of which technique is used, the significant result is that when an attempt is made to open certain files using default application actions, any code in the file is not executed.
FIle extensions of certain files should not be hidden. Users can double click a file without knowing what type of file (or which application) is being opened.System AdministratorDCMC-1
Open-restricted File Type Properties
For some file types, providing the user an opportunity to cancel the opening of the file provides adequate protection for most environments. Files that are opened with applications that include internal controls on code execution are good candidates for this technique.
The Open Confirmation property, enabled through the Confirm open after download setting, provides a notice to the user that allows them to open the file, save the file to disk, or cancel the file open task. The Always show extension setting adds additional value. This ensures that users can see the file type before attempting to open it.
The Values of confirm after download and always show extension give the users additional information about a file so a decision can be made as to whether it should be opened.
The command line tool, ’assoc’, can be used to determine if a given file type definition exists. For example, on typical Windows systems the command ’assoc.bat’ returns ’.bat=batfile’ indicating that the extension .bat is defined and that the properties are stored in the Windows Registry under the key batfile.
Windows Explorer can be used to manually display and configure the Actions, Always Show Extension, and Open Confirmation properties. In Windows 2000 and XP use the File Types tab of the Tools | Folder Options dialog in Windows Explorer.
It must be recognized that performing these changes does not eliminate the danger from malicious code. Such code could come from a number of sources and use trigger techniques other than the Windows file type open action. Thus the changes documented here are not a substitute for an anti-virus tool with current definitions.
NOTE: The application of this change affects the behavior of all Windows applications that utilize the affected Registry settings.