DVI System Security Policy

Updated August 13, 2015

To: DVI System Manager
From: Digital Vision Support
Re: Computer and Network Security Standards

Labs lose hours, and even days of productivity because of inadequate computer and network security. More than ever, lab equipment depends on computers in order to function, and many processes require network and internet access. Because of this, it is critical for labs to obtain professional level computer and network security. Malicious software (malware) continues to proliferate, and though most malware is intended to just annoy a computer operator, some is more nefarious and can pose a direct threat to computers or computer networks.

DVI's policy is that labs need to take the following steps to protect your system and maximize your network robustness

1. All labs must have access to a local Information Technology (IT) support person or company that is available to assist them not only during the initial setup, but also guide them through troubleshooting and recovery operations.

2. Restrict use of the DVI Server and Backup Server.

  • Access to the servers should be limited to only the DVIADMIN user.
  • No processes should be run on the DVI Server other than the daily cycling procedure.
  • Processes on the DVI Backup server should be limited to those approved by DVI.

3. Install business versions of a DVI qualified antivirus software on every Windows computer on the network, including the server and backup server.

  • The use of antivirus software designed for home PCs has resulted in important VISION files being locked or deleted.
  • DVI is not responsible for VISION not functioning because of the use of non–business antivirus software.
  • Remember other computers on the network, e.g. accounting, shipping, or digital surfacing devices (including generators, engravers, etc.).
  • Unsecured media such as thumb drives and CDs/DVDs can be the source of malware and should not be introduced to the system.

4. Antivirus software should be set to automatically download updates.

  • Active scanning (real-time protection) on the server, backup server, and machinery interfaces should be turned off due to performance issues. Schedule scans to run only during off/after hours.
  • Active scanning on remotes is recommended.
  • Active scanning should exclude the VISION directory and the DVI system's program directory from its targeted directories.

5. Only use the internet for business related tasks.

  • It is critical to configure your security to allow remote support from DVI to access your system.
  • The server should be limited to DVI directed WebEx or TeamViewer sessions.
  • The backup server should be limited to DVI directed activities such as WebEx or TeamViewer sessions, Opticom ordering, fax services, VISION emailing functions, or the Combobulator.
  • Remotes are especially vulnerable to malware.
    • Do not open links to unknown websites.
    • Do not open email attachments unless you know the person who sent it or are expecting the attachment.
    • Do not download or install software from the internet unless directed by your IT or DVI. This includes apps such as search engine quick links, music players, video players, internet games, and offers to "fix" your security or computer.

6. Make sure that all of your Windows computers have current Microsoft updates installed.

7. The firewall that comes standard with the Windows operating system should be left with its default settings. Additional firewalls should not be set up unless you have an internal IT department.

8. If computers are exposed to malware that cannot be removed by antivirus software, then it is DVI's standard remediation practice to:

  • For workstations:
    • Disconnect the affected machines from the network immediately.
    • Restore to a clean version of Windows.
    • Rebuild the network connections.
  • For servers:
    • Disconnect the affected machines from the network immediately.
    • Determine the most current backup location (local image, removable backup, or web backup).
    • Restore to a clean version of Windows Server.
    • Restore VISION databases and programs.
    • Rebuild network connections.

New servers purchased from DVI are configured to our most current security specifications. Remotes do not come with antivirus software unless requested by the lab. It is up to the lab to install approved antivirus software on remotes. DVI currently recommends and supplies ESET Endpoint Antivirus as the standard antivirus software solution.

Windows Updates

Updated April 24, 2013

To: DVI System Manager
From: Digital Vision Support
Re: Managing Windows Software Updates

The Windows operating system (OS) is a complicated piece of software containing over 50 million lines of code. The probability of something needing to be fixed or improved is therefore high. Regularly updating Windows is not only important but vital to ensuring the health of your computer system and network. Often what is seen as a VISION software issue is resolved once Windows updates are applied.

Important, Recommended, and Service Pack Updates

Important:

These updates include Critical and Security updates:

  • Critical updates fix major software bugs. These are not used to fix minor annoyances, but address issues that could render your system unusable.
  • Security updates patch weaknesses in the OS that can be used to exploit the computer. These exploits are continuously found and are used by individuals to insert malware. Antivirus software alone will not fix these problems.

Ignore important updates at your peril. DVI is not responsible for issues stemming from not installing important updates.

Recommended:

Theses updates add functionality. This includes new software, additional features, and device drivers. Recommended updates are not mandatory but increase the usability of software and devices installed on the system.

Service Packs:

These are updates grouped together into one installable package. They usually include all previous updates plus new updates. Service packs have also been used by Microsoft to add major new functions or features. The last service pack for Windows XP is SP3. Windows XP has been discontinued so service packs will no longer be released. Windows Vista is on SP2. As of this writing Windows 7 is currently on SP1, and Windows 8 does not have a service pack associated with it. Make sure that the lab's versions of Windows show the latest service pack.

Update Schedule

Microsoft releases software updates every second Tuesday of the month. These can include important and recommended updates. However, Microsoft also releases important updates as the need arises, for instance when a new exploit could harm a computer system or network.

Updates by Computer Type

Servers, Combobulators, and Machine Interfaces (MIX):

The recommended setting for updates on these computers is to download the updates but not install them immediately. Constant use of VISION servers, MIXes, and the Combobulator prevents updates from being applied during the work day unless scheduled beforehand. Updates can take anywhere from two to thirty minutes. Updates might also require the computer be restarted. It is therefore advised that updates are installed after closedown or during a scheduled break (lunch, shift change, maintenance, etc.).

Never, under any circumstances, halt an update once it has begun! This may result in the OS being critically damaged. If it seems that the update is taking longer than it should call your IT department or DVI before attempting to stop or reboot the server.

DVI recommends that servers be restarted once a month. This will highlight any hardware issues that a server might have such as a malfunctioning power supply, network interface card, or hard drive. If there is a problem with any of these components it is better to find out in a controlled setting than have something happen in the middle of a work day. Contact your IT department or DVI if a problem occurs.

Remotes:

PCs can be restarted without halting production so they can be updated when it is convenient to do so. This is not to imply that updates occur at the end of the month - updates still need to be done as soon as possible. Configuring the PC to download and install Microsoft updates automatically will make sure the system is up-to-date as possible. The default setting of everyday at 3 AM is suitable in most instances.

Labs that have 24 hour work days or are open during weekends will schedule a time to apply updates.

Conclusion

A lab is a busy place and it seems that there is not any time to update computers. However, delaying updates leads to not doing updates at all. Therefore, create an update schedule or plan. Decide when computers need updating and how to do it (automatic or manual updates).