锘匡豢<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <link rel="stylesheet" href="/style.css" type="text/css" /> <script type="text/javascript" src="/jquery.min.js"></script> <title>CERN Computer Security Information</title> <script type="text/javascript"> $(document).ready(function(){ // Menu highlight var path = location.pathname.split("/"); if ( path ) { $('#main_menu a[href*="' + path[1] + '"][class!="noselect"]').addClass('selected'); // path[3] = /security/<xxxxx>/ $('#sidebar ul.sidemenu li[class!="noselect"]:has(a[href$="' + path.reverse()[0] + '"])').addClass('selected'); } // Add icon to external links $('a[id!=logo-img]').filter(function() { return this.hostname && this.hostname !== location.hostname; 聽 }).after(' <img src="/images/external_link.png" alt="external link" title="external link"/>'); }); </script> </head> <body> <div id="wrap"> <div id="top-bg"></div> <!--header --> <div id="header"> <div id="logo-text"> <a id="logo-img" href="https://home.cern/"><img src="/images/CERNLogo2.png" width="59" height="59" style="margin: 10px" alt="CERN Logo"/></a><div id="logo-text-big"><a href="/home/en/index.shtml" title="">CERN Computer Security</a></div> </div> <div id="header-logo"><a href="/services/en/emergency.shtml"><img width=335 src="/images/emergency.png" alt="Computer Emergencies"/></a></div> </div> <!--header ends--> <div id="header-photo"></div> <!-- navigation starts--> <div id="nav"> <ul id="main_menu"> <li><a class="noselect" href="/home/fr/index.shtml"><img src="/images/fr.png" alt="FR"/></a></li> <li><a href="/home/en/index.shtml">Home</a></li> <li><a href="/rules/en/index.shtml">Computing Rules</a></li> <li><a href="/recommendations/en/index.shtml">Recommendations</a></li> <li><a href="/training/en/index.shtml">Training</a></li> <li><a href="/services/en/index.shtml">Services</a></li> <li><a class="secured" href="/reports/en/index.shtml">Reports &amp; Presentations</a></li> </ul> </div> <!-- navigation ends--> <!-- content-wrap starts --> <div id="content-wrap"> <div id="main"> <h2>How to keep your PC or Mac secure</h2> <p>Did you know that even if your PC for Mac has up-to-date patches, the latest anti-virus and runs a local firewall, it can still be infected?</p> <p>When computers are used for personal rather than professional use, the chance of infections and other security incidents increases - movies, games, music and other personal applications all have associated risks.</p> <p>If you manage your own computer or have installed your own applications, you are responsible for keeping the software secure:</i></p> <ul> <li>Ensure that the system and applications are securely configured;</li> <li>Ensure you have sufficient knowledge of the software you are installing or configuring;</li> <li>Ensure the software is permitted by <a href="/rules/en/index.shtml">CERN's restrictions on software for personal and professional use</a>;</li> <li>Ensure that <a href="#l1">security patches are regularly applied</a> - this may require upgrading to later versions;</li> <li><a href="#l2">Run an up-to-date anti-virus software;</a></li> <li><a href="#l3">Tighten your local firewall;</a></li> <li><a href="#l4">Don't download, install or run software from non-trusted sources</a>, e.g. via the Internet or physical media such as DVDs or USB sticks;</li> <li><a href="#l5">Hit "ALT-F4"</a> (instead of "Cancel", "OK" or "No") to close unexpected dialogue boxes;</a></li> <li><a href="#l6">Limit the usage of administrator privileges</a> and the number of users authorised to access the system to a minimum;</li> <li><a href="#l7">Lock Your Screen</a>.</li> </ul> <p>Here's some advice to help keep your PC secure. Although useful for all platforms, this advice is particularly targeted to Windows users.</p> <h4><a name="l1"></a>Enable Automatic Installation of Updates</h4> <p>A lot of security problems are caused by software which do not have the latest updates installed. Most software can install updates automatically. Ensure that the software installed has this feature enabled.</p> <ul> <li>For Windows PCs, ensure that <b>"Windows Update"</b> is enabled and runs on a regular basis;</li> <li>For Linux PCs, make sure that <a href="http://cern.ch/linux/scientific5/docs/softwaremgmt.shtml#sysconfenable"><tt>yum autoupdate</tt></a> (Redhat/SLC) or <tt>apt-get autoupdate</tt> (Debian/Ubuntu) is enabled and runs on a regular basis;</li> <li>For Apple Macs, use the software update mechanism which is accessible under the Apple menu.</li> </ul> <p>If you prefer passing this responsibility: Use CERN's recommended and centrally managed systems for <a href="https://cern.ch/winservices/">Windows PCs/laptops</a> or <a href="http://linux.web.cern.ch/linux"/>CERN Scientific Linux (SLC) PCs</a>. For the private usage/usage at home, the Windows operating system can be obtained <a href="https://winservices.web.cern.ch/winservices/Help/?kbid=100190">here</a> at decent costs.</p> <h4><a name="l2"></a>Run Anti-Virus Software which is Automatically Updated</h4> <p>Many new new viruses appear each day. <b>CERN's centrally managed NICE PCs are equipped with anti-virus software and are automatically updated to limit damage from known viruses.</b> If a virus is discovered, the anti-virus software will notify you, and prevent it from running (by placing it in quarantine). You should continue to work normally, as the anti-virus service will be automatically informed and will contact you if any further action is required. Occasionally, the anti-virus software cannot completely prevent damage, so if you do experience problems contact <a href="mailto:helpdesk@cern.ch">helpdesk@cern.ch</a> (tel: 78888),&nbsp; with the name of your PC, details of the error message and problem, and request a virus check.</p> <p>Anyone managing their own Windows PC or Apple Mac is responsible for obtaining, installing and keeping their anti-virus software up-to-date. This applies to all PCs on the CERN network, including those of visitors. A free version for installation at CERN and home is available here for <a href="https://devices.docs.cern.ch/pss/eset-mac/">Apple Mac</a> and <a href="https://devices.docs.cern.ch/pss/eset-windows/">Microsoft Windows</a>. An open source option exists for Linux users in <a href="https://www.clamav.net/">ClamAV</a> for scanning for malicious files on your system, although it is not a full Antivirus solution. Regularly updated anti-virus software is particularly important for portable PCs which are used at other locations and connect to other Internet Service Providers since they bypass CERN's security protections. This not only increases their own chance of infection, but places the whole CERN site at risk, since once infected, they can spread an infection from inside our firewall.</p> <h4><a name="l3"></a>Tighten your local firewall</h4> <p>An additional simple way to protect your computer from intrusion is to use a local firewall blocking all unnecessary, unsolicited or unwanted connections which could potentially be used to damage your computer or to steal your personal data. Such a firewall comes for free with Windows and with any Linux distribution.</p> <p>The Windows firewall is already turned on by default. However, you can check this from the Start-Button (go to "Control Panel", then "Security Center" and finally "Firewall"). In the ideal case, this should look like this:</p> <p><center><img border="0" src="/recommendations/images/firewall_windows.png" width="90%"></center></p> <p>With the default setting, Windows firewall will block most programs to prevent unsolicited requests and a window like the right-one above will be displayed. If you decide to unblock it, this program will be added to the exceptions (listed under the "Exceptions" tab on the left picture).</p> <p>For Scientific Linux CERN (or Fedora Linux/CentOS/RHEL and similar linux versions), please use the graphical user interface and select the "Firewall" configuration from "Administration" submenu of the "System" menu (see left image below), or type <tt>sytem-config-firewall</tt> from the terminal. You will be asked for system administrator credentials in order to be able to use this application. Following configuration interface will be shown:</p> <p><center><img border="0" src="/recommendations/images/firewall_slc.png" width="90%"></center></p> <p>By default your system firewall is preconfigured to allow ssh incoming connections and AFS distributed file system access (see under "Other Ports").</p> <p>If you are expert enough and prefer using the command line, note that the firewall setup is stored in <tt>/etc/sysconfig/iptables</tt> file. Details on how the <tt>iptables</tt> are configured can be found in the <a href="http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/index.html">Red Hat Enterprise Linux Security Guide</a>.</p> <h4><a name="l4"></a>Do Not Download, Install or Run Software from Non-trusted Sources</h4> <p>(Non trusted sources in this respect include the Internet, USB sticks, CDs, DVDs, etc.)</p> <p>A growing number of computer security incidents detected at CERN are due to software downloaded, installed, or run from untrustworthy sources. Viruses are often hidden inside files. When you copy and run a file containing a virus, you can infect not only your own PC, but can start to spread a virus inside CERN's firewall. "Free software" does not necessarily mean "Friendly software": Some of the popular "free" software available on the Web can introduce security problems, either at the time the software is installed (e.g. by adding spyware/adware) or later through lack of updates to close security holes. In particular, there is some "free" anti-virus software advertised on the Internet, which an contain malicious software. This form of "social engineering" hides malicious software inside a security package to make you think that you can trust it. "Free" versions of copyrighted software often contain Trojan horses, spyware or other malicious software - a problem besides the violation of copyrights. Furthermore, installing browser plug-ins could also download any malicious software that the plug-in might contain. If a Web site requires a plug-in to view it, it is best to avoid using it.</p> <p>In addition to security problems, software installed for personal use often creates support problems. The additional software can make problem analysis more difficult and time consuming and even if the initial installation appears not to impact the correct running of the system, it can cause problems for changes to the system at a later time. Removing additional software may require a complete re-installation of the system from scratch to recover from all changes which were made to the system. Re-installations have been required following the installation of some "free downloads".</p> <p>Therefore, only copy files from trusted sources, such as commercial companies with whom CERN has a software agreement. <b>Software which is not required for a user's professional duties introduces an unnecessary risk and should not be installed</b> or used on computers connected to CERN's networks. Rather install software which is provided centrally for <a href="https://cern.ch/winservices/">Windows</a> or <a href="http://linux.web.cern.ch/linux"/>CERN Scientific Linux</a> computers.</p> <p>For more information about spyware and how to avoid it, see <a href="http://cern.ch/WinServices/Help/?fdid=16">http://cern.ch/WinServices/Help/?fdid=16</a>.</p> <p><div><center> <div id="game-container"><img src="/recommendations/images/spyware.jpg" id="game-link" width="90%"/></div> <script type="text/javascript"> $("#game-link").click(function(){ $("#game-container").load("/recommendations/images/spyware.html"); }); </script> </center> <center> &copy; OnGuard Online</center> </div></p> <h4><a name="l5"></a>[ALT][F4]: Be Cautious of Pop-ups</h4> <p>Visiting a Web site sometimes results in dialogue boxes. Those "pop-ups" may be maliciously configured so that even if you click "Cancel", "OK" or "No" or close the window with the top-right "X", a program could still be executed on your PC.</p> <p>On a Windows PC close the pop-up by pressing the keys [Alt][F4], which closes the "active" window.</p> <h4><a name="l6"></a>Configure to Run Without Administrator Privileges</h4> <p>There are a growing number of "zero-day exploits" & security weaknesses that are discovered before patches become available. With these exploits, simply clicking a web link while you have administrator privileges could automatically install malicious software that infects your PC.</p> <p><b>You are recommended to run without administrator privileges</b> as this restricts the damage malicious software can do. For information on running without administrator rights see: <a href="http://cern.ch/WinServices/Help/?kbid=010121">http://cern.ch/WinServices/Help/?kbid=010121</a></li>.</p> <h4><a name="l7"></a>Lock Your Screen</h4> <p><b>Lock your screen each time you leave your office.</b> For Linux, please use [Control][Alt][L]. From a Windows PC use [Control][Alt][Delete] and select "Lock Computer" (or if you have a Windows keyboard, simply press [Windows][L]). For an Apple Mac, first enable the "Show Status in Menu Bar" flag from the preferences of the application "Keychain Access" and from that menu, the screen can be locked manually or after a defined time when unused:</p> <p><center><img border="0" src="/recommendations/images/screenlock_mac.png" width="90%"></center></p> <p>You are also recommended to auto-lock your screen after e.g. 10 minutes of inactivity. On a Mac, the screen lock is activated in the "System Preferences/Security" (see picture above, right) while the time before auto-sleep is defined under "Energy Saver". For Windows PCs, right-click on the desktop, choose "Properties" and then the tab "Screen Saver". Change this to "Wait 10 minutes" and click the box "On resume, password protect":</p> <p><center><img border="0" src="/recommendations/images/screenlock_pc.bmp" width="90%"></center></p> </div> <!-- main ends --> <!-- SIDEBAR --> <!-- sidebar menu starts --> <div id="sidebar"> <h3>For All Users<br/> (Experts or Not)</h3> <ul class="sidemenu"> <li><a href="/recommendations/en/good_practises.shtml">Seven easy good practises</a></li> <li><a href="/recommendations/en/how_to_secure_your_pc.shtml">How to secure your PC or Mac</a></li> <li><a href="/recommendations/en/passwords.shtml">Passwords &amp; toothbrushes</a></li> <li><a href="/recommendations/en/2FA.shtml">Starting with multi-factor authentication</a></li> <li><a href="/recommendations/en/bad_mails.shtml">Bad mails for you:<br/>"Phishing", "SPAM" &amp; fraud</a></li> <li><a href="/recommendations/en/malicious_email.shtml">How to identify malicious e-mails and attachments</a></li> <li><a href="/recommendations/en/how_to_remove_malicious_browser_notifications.shtml">How to remove malicious browser notifications</a></li> <li><a href="/recommendations/en/working_remotely.shtml">Working remotely</a></li> <li><a href="/recommendations/en/connecting_to_cern.shtml">Connecting to CERN</a></li> <li><a href="/recommendations/en/ssh.shtml">Connecting using SSH</a></li> </ul> <h3>For Software Developers</h3> <ul class="sidemenu"> <li><a href="/rules/en/software-development.shtml">Security Checklist</a></li> <li><a href="/rules/en/containers.shtml">Securing Containers</a></li> <li><a href="/rules/en/web-applications.shtml">Securing Web Applications</a></li> <li><a href="/recommendations/en/password_alternatives.shtml">How to keep secrets secret<br/> (alternatives to passwords)</a></li> <li><a href="/recommendations/en/sast.shtml">Static Application Security Testing (SAST) tools</a></li> <li><a href="https://gitlab.docs.cern.ch/docs/Secure%20your%20application/">GitLab CI Security Tools</a></li> <li><a href="https://lms.cern.ch/ekp/servlet/ekp?TX=FORMAT1&LOTYPE=O&CID=EKP000044483">Developing secure software training</a></li> </ul> </div> <!-- sidebar menu ends --> <!-- content-wrap ends--> </div> <!-- footer starts --> <div id="footer-wrap"> <div id="footer-bottom"> &copy; Copyright 2025<strong> <a href="https://cern.ch/security">CERN Computer Security Office</a></strong> <table> <tr> <td id="footer-info-left"> e-mail: <a href="mailto:Computer.Security@cern.ch">Computer.Security@cern.ch</a><br/> Please use the following PGP key to encrypt your messages:<br/> ID: 0x954CE234B4C6ED84<br/> <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/429D60460EBE8006B04CDF02954CE234B4C6ED84">429D 6046 0EBE 8006 B04C DF02 954C E234 B4C6 ED84</a> </td> <td id="footer-info-right"> Phone: +41 22 767 0500<br/> Please listen to the recorded instructions. </td> </tr> </table> </div> </div> <!-- footer ends--> </div> <!-- wrap ends here --> <!--img height=30px src="/home/en/CERNfooter_800.png"--> </body> </html>