Users' Security Handbook
RFC 2504

Document Type RFC - Informational (February 1999; No errata)
Also known as FYI 34
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 2504 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                        E. Guttman
Request for Comments: 2504                             Sun Microsystems
FYI: 34                                                        L. Leong
Category: Informational                                   COLT Internet
                                                              G. Malkin
                                                           Bay Networks
                                                          February 1999

                        Users' Security Handbook

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1999).  All Rights Reserved.

Abstract

   The Users' Security Handbook is the companion to the Site Security
   Handbook (SSH).  It is intended to provide users with the information
   they need to help keep their networks and systems secure.

Table of Contents

   Part One: Introduction . . . . . . . . . . . . . . . . . . . .  2
   1.   READ.ME . . . . . . . . . . . . . . . . . . . . . . . . .  2
   2.   The Wires have Ears . . . . . . . . . . . . . . . . . . .  3
   Part Two: End-users in a centrally-administered network  . . .  4
   3.   Watch Out! . . . . . . . . . . . . . . . . . . . .  . . .  4
   3.1.   The Dangers of Downloading  . . . . . . . . . . . . . .  4
   3.2.   Don't Get Caught in the Web . . . . . . . . . . . . . .  5
   3.3.   Email Pitfalls  . . . . . . . . . . . . . . . . . . . .  6
   3.4.   Passwords . . . . . . . . . . . . . . . . . . . . . . .  7
   3.5.   Viruses and Other Illnesses . . . . . . . . . . . . . .  7
   3.6.   Modems  . . . . . . . . . . . . . . . . . . . . . . . .  8
   3.7.   Don't Leave Me... . . . . . . . . . . . . . . . . . . .  9
   3.8.   File Protections  . . . . . . . . . . . . . . . . . . .  9
   3.9.   Encrypt Everything  . . . . . . . . . . . . . . . . . . 10
   3.10.  Shred Everything Else . . . . . . . . . . . . . . . . . 10
   3.11.  What Program is This, Anyway? . . . . . . . . . . . . . 11
   4.   Paranoia is Good  . . . . . . . . . . . . . . . . . . . . 11
   Part Three: End-users self administering a networked computer  14
   5.   Make Your Own Security Policy . . . . . . . . . . . . . . 14

Guttman, et. al.             Informational                      [Page 1]
RFC 2504                Users' Security Handbook           February 1999

   6.   Bad Things Happen . . . . . . . . . . . . . . . . . . . . 15
   6.1.   How to Prepare for the Worst in Advance . . . . . . . . 15
   6.2.   What To Do if You Suspect Trouble . . . . . . . . . . . 16
   6.3.   Email . . . . . . . . . . . . . . . . . . . . . . . . . 17
   7.   Home Alone  . . . . . . . . . . . . . . . . . . . . . . . 17
   7.1.   Beware of Daemons . . . . . . . . . . . . . . . . . . . 17
   7.2.   Going Places  . . . . . . . . . . . . . . . . . . . . . 19
   7.3.   Secure It!  . . . . . . . . . . . . . . . . . . . . . . 20
   8.   A Final Note  . . . . . . . . . . . . . . . . . . . . . . 20
   Appendix: Glossary of Security Terms . . . . . . . . . . . . . 21
   Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 31
   References . . . . . . . . . . . . . . . . . . . . . . . . . . 31
   Security Considerations  . . . . . . . . . . . . . . . . . . . 32
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 32
   Full Copyright Statement . . . . . . . . . . . . . . . . . . . 33

Part One:  Introduction

   This document provides guidance to the end-users of computer systems
   and networks about what they can do to keep their data and
   communication private, and their systems and networks secure. Part
   Two of this document concerns "corporate users" in small, medium and
   large corporate and campus sites.  Part Three of the document
   addresses users who administer their own computers, such as home
   users.

   System and network administrators may wish to use this document as
   the foundation of a site-specific users' security guide; however,
   they should consult the Site Security Handbook first [RFC2196].

   A glossary of terms is included in an appendix at the end of this
   document, introducing computer network security notions to those not
   familiar with them.

1.  READ.ME

   Before getting connected to the Internet or any other public network,
   you should obtain the security policy of the site that you intend to
   use as your access provider, and read it.  A security policy is a
   formal statement of the rules by which users who are given access to
   a site's technology and information assets must abide.  As a user,
   you are obliged to follow the policy created by the decision makers
   and administrators at your site.

   A security policy exists to protect a site's hardware, software and
   data.  It explains what the security goals of the site are, what
Show full document text